The Open Group and MIT Experts Detail New Advances in Identity Management to Help Reduce Cyber Risk

Transcript of a BriefingsDirect podcast in conjunction with the upcoming Open Group Conference on the current state and future outlook for identity management.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with The Open Group Conference this July in Washington, D.C. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout these discussions.

The conference will focus on enterprise architecture (EA), enterprise transformation, and securing global supply chains. Today, we're here to focus on cyber security, and the burgeoning role that identity (ID) management plays in overall better securing digital assets and systems.

We’ll examine the relationship between controlled digital identities in cyber risk management, and explore how the technical and legal support of ID management best practices have been advancing rapidly. We’ll also see how individuals and organizations can better protect themselves through better understanding and managing of their online identities.

Joining us now to delve into this fast-evolving area are few of the main speakers at the July 16 conference. We are here with Jim Hietala, the Vice President of Security at The Open Group. Welcome, Jim. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Jim Hietala: Thanks Dana, good to be with you.

Gardner: We are also here with Thomas Hardjono, Technical Lead and Executive Director of the MIT Kerberos Consortium. Welcome, Thomas.

Thomas Hardjono: Hello, Dana.

Gardner: And we are joined by Dazza Greenwood, President of the CIVICS.com consultancy, and lecturer at the MIT Media Lab. Welcome, Dazza.

Dazza Greenwood: Hi. Good to be here.

Gardner: Jim, first question to you. Let’s describe the lay of the land for our listeners. What is ID management generally and how does it form a fundamental component of cyber security?

Hietala: ID management is really the process of identifying folks who are logging onto computing services, assessing their identity, looking at authenticating them, and authorizing them to access various services within a system. It’s something that’s been around in IT since the dawn of computing, and it’s something that keeps evolving in terms of new requirements and new issues for the industry to solve.

Particularly as we look at the emergence of cloud and software-as-a-service (SaaS) services, you have new issues for users in terms of identity, because we all have to create multiple identities for every service we access.

You have issues for the providers of cloud and SaaS services, in terms of how they provision, where they get authoritative identity information for the users, and even for enterprises who have to look at federating identity across networks of partners. There are a lot of challenges there for them as well.

Gardner: Is it fair to say, Jim, that as we expand the boundaries of process and commerce beyond the four walls of the enterprise, that this becomes even more urgent, more of an issue?

Key theme

Hietala: I do think it’s fair to say that. Figuring out who is at the other end of that connection is fundamental to all of cyber security. As we look at the conference that we're putting on this month in Washington, D.C., a key theme is cyber security -- and identity is a fundamental piece of that. So, yeah, I think that’s a fair characterization.

Gardner: Let’s go to you, Thomas. How have you been viewing this in terms of an evolution? Are we at a plateau that we're now starting to advance from? Has this been a continuous progression over the past decade? How has ID management been an active topic?

Hardjono: So it’s been at least a decade since the industry began addressing identity and identity federation. Someone in the audience might recall Liberty Alliance, the Project Liberty in its early days.

One notable thing about the industry is that the efforts have been sort of piecemeal, and the industry, as a whole, is now reaching the point where a true correct identity is absolutely needed now in transactions in a time of so many so-called Internet scams.

The number attacks have increased, including attacks from state-sponsored co-terrorists, all the way to so-called Nigerian scammers. This brings to the forefront the fact that we need two things right now, yesterday even, namely, identity under federation and also a scalable authorization mechanism that’s linked to this strong identity.

Gardner: Dazza, is there a casual approach to this, or a professional need? By that, I mean that we see a lot of social media activities, Facebook for example, where people can have an identity and may or may not be verified. That’s sort of the casual side, but it sounds like what we’re really talking about is more for professional business or eCommerce transactions, where verification is important. In other words, is there a division between these two areas that we should consider before we get into it more deeply?

Greenwood: Rather than thinking of it as a division, a spectrum would be a more useful way to look at it. On one side, you have, as you mentioned, a very casual use of identity online, where it may be self-asserted. It may be that you've signed a posting or an email.

On the other side, of course, the Internet and other online services are being used to conduct very high value, highly sensitive, or mission-critical interactions and transactions all the time. When you get toward that spectrum, a lot more information is needed about the identity authenticating, that it really is that person, as Thomas was starting to foreshadow. The authorization, workflow permissions, and accesses are also incredibly important.

In the middle, you have a lot of gradations, based partly on the sensitivity of what’s happening, based partly on culture and context as well. When you have people who are operating within organizations or within contexts that are well-known and well-understood -- or where there is already a lot of not just technical, but business, legal, and cultural understanding of what happens -- if something goes wrong, there are the right kind of supports and risk management processes.

There are different ways that this can play out. It’s not always just a matter of higher security. It’s really higher confidence, and more trust based on a variety of factors. But the way you phrased it is a good way to enter this topic, which is, we have a spectrum of identity that occurs online, and much of it is more than sufficient for the very casual or some of the social activities that are happening.

Higher risk

But as the economy in our society moves into a digital age, ever more fully and at ever-higher speeds, much more important, higher risk, higher value interactions are occurring. So we have to revisit how it is that we have been addressing identity -- and give it more attention and a more careful design, instead of architectures and rules around it. Then we’ll be able to make that transition more gracefully and with less collateral damage, and really get to the benefits of going online.

Gardner: Jim Hietala, before we go into what’s been happening in the field around ID management, I just wanted to get a better sense of the urgency here. We hear quite a bit about consumerization of IT trends in the enterprise, driven in many respects by mobile use. But it seems to me that there is a need here to move rapidly away from de facto single sign-on through some of the social networks and get more of a mission-critical approach to this.

Do you agree that people have been falling into a consumer’s sense of security for single sign-on, but that it really needs to be better, and therefore we need to ramp up the urgency around it?

Hietala: I do agree with that. It’s not just mobile. You can look at things that are happening right now in terms of trojans, bank fraud, scammers, and attackers, wire transferring money out of company’s bank accounts and other things you can point to.

There are failures in their client security and the customer’s security mechanisms on the client devices, but I think there are also identity failures. They need new approaches for financial institutions to adopt to prevent some of those sorts of things from happening. I don’t know if I’d use the word "rampant," but they are clearly happening all over the place right now. So I think there is a high need to move quickly on some of these issues.

They need new approaches for financial institutions to adopt to prevent some of those sorts of things from happening.

Gardner: I sense that the legacy or historical approach was piecemeal, somewhat slow to react to the marketplace. Then, there is this other side, where the social mechanisms have crept in, and in the middle of this big hole you could drive a truck through.

So let’s talk about what’s going to be happening to shore this up and pull it together? Let’s look at some of the big news. What are some of the large milestones? We’ll start with you Jim for ID management leading up to the present.

Hietala: Well, so I think the biggest recent news is the US National Strategy for Trusted Identities in Cyber Space (NSTIC) initiative. We’ll probably talk about that as we go through this discussion, but that clearly shows that a large government, the United States government, is focused on the issue and is willing to devote resources to furthering an ID management ecosystem and construct for the future.

To me that’s the biggest recent news. You can look on the threat and attack side, and see all sorts of instances, where even the LinkedIn attacks from the last week or so, demonstrate that identity and the loss of identity information is a big deal. You don’t have to look far in the news headlines these days to see identity taking front and center as a big issue that needs to be addressed.

Gardner: Let’s go to you Dazza. What do you see as the big news or milestones of the day. Then, maybe a secondary question on what Jim just mentioned -- that it’s not just about protecting ID, that the bad guys are often trying to take IDs away from others?

At a crossroads

Greenwood: I think that’s right. Where we are just now is at a crossroads where finally industry, government, and increasingly the populations in general, are understanding that there is a different playing field. In the way that we interact, the way we work, the way we do healthcare, the way we do education, the way our social groups cohere and communicate, big parts are happening online.

In some cases, it happens online through the entire lifecycle. What that means now is that a deeper approach is needed. Jim mentioned NSTIC as one of those examples. There are a number of those to touch on that are occurring because of the profound transition that requires a deeper treatment.

NSTIC is the US government’s roadmap to go from its piecemeal approach to a coherent architecture and infrastructure for identity within the United States. It could provide a great model for other countries as well.

People can reuse their identity, and we can start to address what you're talking about with identity and other people taking your ID, and more to the point, how to prove you are who you said you were to get that ID back. That’s not always so easy after identity theft, because we don’t have an underlying effective identity structure in the United States yet.

I just came back from the United Kingdom at a World Economic Forum meeting. I was very impressed by what their cabinet officers are doing with an identity-assurance scheme in large scale procurement. It's very consistent with the NSTIC approach in the United States. They can get tens of millions of their citizens using secure well-authenticated identities across a number of transactions, while always keeping privacy, security, and also individual autonomy at the forefront.

Practically everywhere you look, you see news and signs of this transition that’s occurring, an exciting time for people interested in identity.

There are a number of technology and business milestones that are occurring as well. Open Identity Exchange (OIX) is a great group that’s beginning to bring industry and other sectors together to look at their approaches and technology. We’ve had Security Assertion Markup Language (SAML). Thomas is co-chair of the PC, and that’s getting a facelift.

That approach was being brought to match scale with OpenID Connect, which is OpenID and OAuth. There are a great number of technology innovations that are coming online.

Legally, there are also some very interesting newsworthy harbingers. Some of it is really just a deeper usage of statutes that have been passed a few years ago -- the Uniform Electronic Transactions Act, the Electronic Signatures in Global and National Commerce Act, among others, in the US.

There is eSignature Directive and others in Europe and in the rest of the world that have enabled the use of interactions online and dealt with identity and signatures, but have left to the private sector and to culture which technologies, approaches, and solutions we’ll use.

Now, we're not only getting one-off solutions, but architectures for a number of different solutions, so that whole sectors of the economy and segments of society can more fully go online. Practically everywhere you look, you see news and signs of this transition that’s occurring, an exciting time for people interested in identity.

Gardner: Before we define a few of these approaches, Thomas, a similar question to you, but through a technical lens. What’s most new and interesting from your perspective on what’s being brought to bear on this problem, particularly from a technology perspective?

Two dimensions

Hardjono: It's along two dimensions. The first one is within the Kerberos Consortium. We have a number of people coming from the financial industry. They all have the same desire, and that is to scale their services to the global market, basically sign up new customers abroad, outside United States. In wanting to do so, they're facing a question of identity. How do we assert that somebody in a country is truly who they say they are.

The second, introduces a number of difficult technical problems. Closer to home and maybe at a smaller scale, the next big thing is user consent. The OpenID exchange and the OpenID Connect specifications have been completed, and people can do single sign-on using technology such as OAuth 2.0.

The next big thing is how can an attribute provider, banks, telcos and so on, who have data about me, share data with other partners in the industry and across the sectors of the industry with my expressed consent in a digital manner.

Gardner: Let’s drill down a little bit. Dazza, tell us a bit about the MIT Core ID approach and how this relates to the Jericho Forum approach. I suppose you'd have to just do a quick explanation of what Jericho is in the process of explaining it.

Greenwood: I would defer to Jim of The Open Group to speak more authoritatively on Jericho Forum, which is a part of Open Group. But, in general, Jericho Forum is a group of experts in the security field from industry and, more broadly, who have done some great work in the past on deperimeterized security and some other foundational work.

With a lot of the solutions in the market, your different aspects of life, unintentionally sometimes or even counter-intentionally, will merge.

In the last few years, they've been really focused on identity, coming to realize that identity is at the center of what one would have to solve in order to have a workable approach to security. It's necessary, but not sufficient, for security. We have to get that right.

To their credit, they've come up with a remarkably good list of simple understandable principles, that they call the Jericho Forum Identity Commandments, which I strongly commend to everybody to read.

It puts forward a vision of an approach to identity, which is very constant with an approach that I've been exploring here at MIT for some years. A person would have a core ID identity, a core ID, and could from that create more than one persona. You may have a work persona, an eCommerce persona, maybe a social and social networking persona and so on. Some people may want a separate political persona.

You could cluster all of the accounts, interactions, services, attributes, and so forth, directly related to each of those to those individual personas, but not be in a situation where we're almost blindly backing into right now. With a lot of the solutions in the market, your different aspects of life, unintentionally sometimes or even counter-intentionally, will merge.

Good architecture

Sometimes, that’s okay. Sometimes, in fact, we need to be able to have an inability to separate different parts of life. That’s part of privacy and can be part of security. It's also just part of autonomy. It's a good architecture. So Jericho Forum has got the commandments.

Many years ago, at MIT, we had a project called the Identity Embassy here in the Media Lab, where we put forward some simple prototypes and ideas, ways you could do that. Now, with all the recent activity we mentioned earlier toward full-scale usage of architectures for identity in US with NSTIC and around the world, we're taking a stronger, deeper run at this problem.

Thomas and I have been collaborating across different parts of MIT. I'm putting out what we think is a very exciting and workable way that you can in a high security manner, but also quite usably, have these core identifiers or individuals and inextricably link them to personas, but escape that link back to the core ID, and from across the different personas, so that you can get the benefits when you want them, keeping the personas separate.

Also it allows for many flexible business models and other personalization and privacy services as well, but we can get into that more in the fullness of time. But, in general, that’s what’s happening right now and we couldn’t be more excited about it.

Gardner: Of course, you'll be discussing this in greater detail at The Open Group Conference coming up on July 16, so we look forward to that. When it comes to this notion of a core ID, where might that be implemented and instantiated? Where would I keep my core ID, so that I could develop these other personas, have a form of federation as a result, but managed through my own core? Where would that core reside?

It's important to recognize that people are not computer scientists and hardware manufacturers, and don't run data centers in their basements.

Greenwood: I'll say a couple of words on that and I think Thomas has a few words as well. The Jericho Forum is pretty definite that they favor having the individual human being have a hardware device of some kind, a cryptographically hardened module of some kind, within which the data that comprises the core identifier.

Also some wrapping data that Thomas and I are putting forward in the proposed architecture would reside on it, and that would be literally owned and under control of, in the pocket of, the person, so they can treat it almost like their wallet. It maybe would become part of the future wallet, or what we come to think of this as a wallet, with digital walletized services on phones and other devices people have with them.

So there is that high dimension, a very basic answer where the data would reside. It's important to recognize that people are not computer scientists and hardware manufacturers, and don't run data centers in their basements. There is always a critical role for service providers to make this easy for people, so there would be simple products and simple services that people can use to have the issuance and management of each of layers of their identity.

Part of what we have done is come up with an architecture with the right types of institutions. Mixes of governments and other highly-trusted institutions that for hundreds or more years have already been the authoritative source for identity, as opposed to new startups, would have their appropriate role. Then, layers of service providers that provide personalization, eCommerce, and other services, whatever their appropriate roles within the ecosystem we’re looking toward to help support and enable within the architecture we’re putting up. Thomas may have some more on that.

Hardjono: I agree with Dazza. For a global infrastructure for core identities to be able to develop, we definitely need collaboration between the governments of the world and the private sector. Looking at this problem, we were searching back in history to find an analogy, and the best analogy we could find was the rollout of a DNS infrastructure and the IP address assignment.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Here today

It's not perfect and it's got its critics, but the idea is that you could split blocks of IP addresses and get it sold and resold by private industry, really has allowed the Internet to scale, hitting limitations, but of course IPv6 is on the horizon. It's here today.

So we were thinking along the same philosophy, where core identifiers could be arranged in blocks and handed out to the private sector, so that they can assign, sell it, or manage it on behalf of people who are Internet savvy, and perhaps not, such as my mom. So we have a number of challenges in that phase.

Gardner: Very interesting. Does this relate to the MIT Model Trust Framework System Rules project? If so, please explain how and how this notion of a directory -- either private, public or in some combination -- would help to move this core ID concept forward.

Greenwood: The Model Trust Framework System Rules project that we are pursuing in MIT is a very important aspect of what we're talking about. Thomas and I talked somewhat about the technical and practical aspects of core identifiers and core identities. There is a very important business and legal layer within there as well.

So these trust framework system rules are ways to begin to approach the complete interconnected set of dimensions necessary to roll out these kinds of schemes at the legal, business, and technical layers.

What’s really missing is the business models, business cases, and of course the legal side.

They come from very successful examples in the past, where organizations have federated ID with more traditional approaches such as SAML and other approaches. There are some examples of those trust framework system rules at the business, legal, and technical level available.

Right now it’s CIVICS.com, and soon, when we have our model MIT under Creative Commons approach, we'll take a lot of the best of what’s come before codified in a rational way. Business, legal, and technical rules can really be aligned in a more granular way to fit well, and put out a model that we think will be very helpful for the identity solutions of today that are looking at federate according to NSTIC and similar models. It absolutely would be applicable to how at the core identity persona underlying architecture and infrastructure that Thomas, I, and Jericho Forum are postulating could occur.

Gardner: Thomas, anything to add to what Dazza just said?

Hardjono: No. I'm looking back 10-15 years. We engineers came up with all sorts of solutions and standardized them. What’s really missing is the business models, business cases, and of course the legal side.

How can a business make revenue out of the management of identity-related aspects, management of attributes, and so on and how can they do so in such a manner that it doesn’t violate the user’s privacy. But it’s still user-centric in the sense that the user needs to give consent and can withdraw consent and so on. And trying to develop an infrastructure where everybody is protected.

Gardner: So it sounds as if you are proposing a chartered or regulated industry, perhaps modeled somewhat on ICANN and the way that DNS has been managed to be the facilitator of these core IDs and then further into federation. Is that fair?

Almost an afterthought

Hardjono: It's only an analogy. Unfortunately if you look at history, people say that ICANN is an organization that was put together quickly, slapped together quickly, because the Internet was growing so fast. It's almost an afterthought for how to regulate the management of IP addresses.

I am hoping that this time around, for identity, we have a more planned and thought-out process that would allow an infrastructure to remain for the next 50 years or 100 years and scale for the needs of technology 50 years from now and 100 years from now.

Greenwood: I’ll just pick up on that a little bit. What you described there was like be a regulated industry. Perhaps one day, but that’s not today and that’s not tomorrow. What we have today is just reality, as it exists, and so what we're coming up with is something that works in a few levels. One of them is a vision in line with the Jericho Forum’s vision. It's a future state vision. It's a very good vision to work towards to help organize our thinking and to get out for discussion and dialogue on ideal amendments or consensus.

Meanwhile, from this trust framework system rules approach and some of the skunkworks project that we'll be able to share at The Open Group Conference in D.C. out of MIT, we're showing in a stepwise way how can we get there from here, what constructive things can we do that are in alignment with this vision today.

The system rules at the business, legal, and technical level in this model trust framework system rules approach are great because they are very flexible. There are lots of examples in payment systems, supply chains, identity federations, and other places, where they use multilateral contractual approaches, can allow multiple stakeholders to get together right now to define their liability, choose the technologies, establish the business processes, and so forth and get rolling.

I am hoping that this time around, for identity, we have a more planned and thought-out process that would allow an infrastructure to remain for the next 50 years or 100 years.

So we are attempting to offer something that can work today. One day perhaps there may be an industry or industries that may be regulated without really presuming how exactly that will come out. Those are decisions, as Thomas said, that are best made, because they are infrastructural really, by a number of different parties over time.

Gardner: Jim Hietala, at The Open Group, being a global organization focused on the collaboration process behind the establishment of standards, it sounds like these are some important aspects that you can bring out to your audience, and start to create that collaboration and discussion that could lead to more fuller implementation. Is that the plan, and is that what we're expecting to hear more of at the conference next month?

Hietala: It is a plan, and we do get a good mix at our conferences and events of folks from all over the world, from government organizations and large enterprises as well. So it tends to be a good mixing of thoughts and ideas from around the globe on whatever topic we're talking about -- in this case identity and cyber security.

At the Washington Conference, we have a mix of discussions. The kick-off one is a fellow by the name Joel Brenner who has written a book, America the Vulnerable, which I would recommend. He was inside the National Security Agency (NSA) and he's been involved in fighting a lot of the cyber attacks. He has a really good insight into what's actually happening on the threat and defending against the threat side. So that will be a very interesting discussion. [Read an interview with Joel Brenner.]

Then, on Monday, we have conference presentations in the afternoon looking at cyber security and identity, including Thomas and Dazza presenting on some of the projects that they’ve mentioned.

Cartoon videos

Then, we're also bringing to that event for the first time, a series of cartoon videos that were produced for the Jericho Forum. They describe a lot of the commandments that Dazza mentioned in a more approachable way. So they're hopefully understandable to laymen, and folks with not as much understanding about all the identity mechanisms that are out there. So, yeah, that’s what we are hoping to do.

Gardner: Do you sense that what MIT has been working on, and what Dazza and Thomas have been describing, are some important foundational blocks to where you see this going. Are they filling a need that you can bring to bear on the discussions and some of the standardization work at The Open Group?

Hietala: Absolutely. They fill a void in the market in terms of organizations that are willing to do that sort of work. The Jericho Forum tends to do forward-looking, thought-leadership kinds of work, looking at problems at the highest level and providing some guidance. Doing model trust frameworks and those sorts of things is that next layer of detail down that’s really critical to the industry. So we encourage it and are happy it's happening.

Gardner: We’re coming up on our time limit, but I did want to dive a little bit deeper into NSTIC. We mentioned that earlier on as an important aspect. Now that we’ve talked a bit more about what's going on with Core ID concepts and trust framework activities, perhaps we could now better explain what NSTIC is and does, but in the context of what we’ve already understood. Who would like to take a step at that?

Greenwood: The best person to speak about NSTIC in the United States right now is probably President Barrack Obama, because he is the person that signed the policy. Our president and the administration has taken a needed, and I think a very well-conceived approach, to getting industry involved with other stakeholders in creating the architecture that’s going to be needed for identity for the United States and as a model for the world, and also how to interact with other models.

In general, NSTIC is a strategy document and a roadmap for how a national ecosystem can emerge.

Jeremy Grant is in charge of the program office and he is very accessible. So if people want more information, they can find Jeremy online easily in at nist.gov/nstic. And nstic.us also has more information.

In general, NSTIC is a strategy document and a roadmap for how a national ecosystem can emerge, which is comprised of a governing body. They're beginning to put that together this very summer, with 13 different stakeholders groups, each of which would self-organize and elect or appoint a person -- industry, government, state and local government, academia, privacy groups, individuals -- which is terrific -- and so forth.

That governance group will come up with more of the details in terms of what the accreditation and trust marks look like, the types of technologies and approaches that would be favored according to the general principles I hope everyone reads within the NSTIC document.

At a lower level, Congress has appropriated more than $10 million to work with the White House for a number of pilots that will be under a million half dollars each for a year or two, where individual proof of concept, technologies, or approaches to trust frameworks will be piloted and put out into where they can be used in the market.

In general, by this time two months from now, we’ll know a lot more about the governing body, once it’s been convened and about the pilots once those contracts have been awarded and grants have been concluded. What we can say right now is that the way it’s going to come together is with trust framework system rules, the same exact type of entity that we are doing a model of, to help facilitate people's understanding and having templates and well-thought through structures that they can pull down and, in turn, use as a starting point.

Circle of trust

So industry-by-industry, sector-by-sector, but also what we call circle of trust by circle of trust. Folks will come up with their own specific rules to define exactly how they will meet these requirements. They can get a trust mark, be interoperable with other trust framework consistent rules, and eventually you'll get a clustering of those, which will lead to an ecosystem.

The ecosystem is not one size fits all. It’s a lot of systems that interoperate in a healthy way and can adapt and involve over time. A lot more, as I said, is available on nstic.us and nist.gov/nstic, and it's exciting times. It’s certainly the best government document I have ever read. I'll be so very excited to see how it comes out.

Gardner: A good read for the summer, no doubt. Before we close out, let's affirm for our audience how important this is. Clearly, we are at a crossroads, as you mentioned, Dazza. It seems to me that the steam, the pressure, for having a better means of ID management is building rapidly from things like the use of multiple mobile devices, location-based commerce, the fact that more of our personal business and economic lives are moving to the cyber realm.

Being able to continue to gain productivity from that really falls back to this issue about maintaining a core and verifiable identity, and being able to use that effectively in more-and-more types of activities.

Being able to continue to gain productivity from that really falls back to this issue about maintaining a core and verifiable identity.

Do you agree? What would be some of the future trends that are going to drive even more demand to solve this problem? Let’s start with you, Jim, and go through our panel. What’s coming down the pike that’s going to make this yet more important?

Hietala: I would turn to the threat and attacks side of the discussion and say that, unfortunately, we're likely to see more headlines of organizations being breached, of identities being lost, stolen, and compromised. I think it’s going to be more bad news that's going to drive this discussion forward. That’s my take based on working in the industry and where it’s at right now.

Gardner: Thomas, same question.

Hardjono: I mentioned the user consent going forward. I think this is increasingly becoming an important sort of small step to address and to resolve in the industry and efforts like the User Managed Access (UMA) working group within the Kantara Initiative.

Folks are trying to solve the problem of how to share resources. How can I legitimately not only share my photos on Flickr with data, but how can I allow my bank to share some of my attributes with partners of the bank with my consent. It’s a small step, but it’s a pretty important step.

Gardner: Dazza, what future events or trends are going to drive this more rapidly to the public consciousness and perhaps even spur the movement towards some resolution?

Greenwood: I completely agree with Thomas, keep your eyes on UMA out of Kantara. Keep looking at OASIS, as well, and the work that’s coming with SAML and some of the Model Trust Framework System Rules.

Most important thing

In my mind the most strategically important thing that will happen is OpenID Connect. They're just finalizing the standard now, and there are some reference implementations. I'm very excited to work with MIT, with our friends and partners at MITRE Corporation and elsewhere.

That’s going to allow mass scales of individuals to have more ready access to identities that they can reuse in a great number of places. Right now, it's a little bit catch-as-catch-can. You’ve got your Google ID or Facebook, and a few others. It’s not something that a lot of industries or others are really quite willing to accept to understand yet.

They've done a complete rethink of that, and use the best lessons learned from SAML and a bunch of other federated technology approaches. I believe this one is going to change how identity is done and what’s possible.

They’ve done such a great job on it, I might add It fits hand in glove with the types of Model Trust Framework System Rules approaches, a layer of UMA on top, and is completely consistent with the architecture rights, with a future infrastructure where people would have a Core ID and more than one persona, which could be expressed as OpenID Connect credentials that are reusable by design across great numbers of relying parties getting where we want to be with single sign-on.

I believe this one is going to change how identity is done and what’s possible.

So it's exciting times. If it's one thing you have to look at, I’d say do a Google search and get updates on OpenID Connect and watch how that evolves.

Gardner: Very good. We've been talking about cyber security and the burgeoning role that identification management plays in the overall securing of assets and systems. We've learned quite a bit about how individuals in organizations could begin to better protect themselves through better understanding and managing of their online identities.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from July 16 to 20 in Washington, D.C. You’ll hear more from these and other experts on the ways that IT and enterprise architecture support enterprise transformation.

I’d like to thank our panel for this fascinating discussion, Jim Hietala, the Vice President of Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: We are also here with Thomas Hardjono, Technical Lead and Executive Director of the MIT Kerberos Consortium. Thank you so much, Thomas.

Hardjono: Thank you, Dana.

Gardner: And also Dazza Greenwood, President of the CIVICS.com consultancy and a lecturer at the MIT Media Lab. Thanks very much, Dazza.

Greenwood: Thanks. It's been a pleasure.

Gardner: I look forward to your presentations in Washington and I encourage our readers and listeners to look at this conference, register if you can, go to learn more about what’s going to be happening there and some of the activities will be streamed live for you to consume regardless of where you are.

Thank you all too, the audience, for listening. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Transcript of a BriefingsDirect podcast in conjunction with the upcoming Open Group Conference on the current state and future outlook for identity management. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Corporate Data, Supply Chains Remain Vulnerable to Cyber Crime Attacks Says Open Group Conference Speaker
• Open Group Conference Speakers Discuss the Cloud: Higher Risk or Better Security?
• Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and Business
• San Francisco Conference observations: Enterprise transformation, enterprise architecture, SOA and a splash of cloud computing
  
• MIT's Ross on how enterprise architecture and IT more than ever lead to business transformation
• Overlapping criminal and state threats pose growing cyber security threat to global Internet commerce, says Open Group speaker
• Enterprise architects play key role in transformation, data analytics value -- but they need to act fast, say Open Group speakers

Open Group Conference Speakers Discuss the Cloud: Higher Risk or Better Security?

A sponsored podcast discussion from The Open Group Conference in San Francisco on what the burgeoning cloud movement means for enterprise security.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Francisco the week of January 30, 2012.

We've assembled a panel from among the conference speakers and contributors to examine the relationship between cloud computing and security. For some, any move to the cloud, at least the public cloud, means a higher risk for security. For others, relying more on a public cloud provider means better security. There’s more of a concentrated and comprehensive focus on security best practices that are perhaps implemented and monitored centrally.

And so which is it? Is cloud a positive or negative when it comes to security? And what of hybrid models that combine public and private cloud activities, how is security impacted in those cases? We'll pose these and other questions to our panel here now to deeply examine how cloud and security come together, for better or worse.

Please join me now in welcoming our panelists. We're here today with Jim Hietala, Vice President of Security for The Open Group. Welcome, Jim. [Disclosure: The Open Group and HP are sponsors of BriefingsDirect podcasts.]

Jim Hietala: Thanks Dana. Glad to be here.

Gardner: We're also here with Stuart Boardman, Senior Business Consultant at KPN, where he co-leads the Enterprise Architecture Practice as well as the Cloud Computing Solutions Group. Stuart is also a co-chair of the Security for the Cloud and SOA Projects under The Open Group Cloud Work Group. Welcome.

Stuart Boardman: Thanks.

Gardner: And we're here with Dave Gilmour, an Associate at Metaplexity Associates and a Director at PreterLex Ltd. Welcome, Dave.

Dave Gilmour: Good afternoon.

Gardner: And lastly, we're here with Mary Ann Mezzapelle, Strategist for Enterprise Services and Chief Technologist for Security Services at HP. She's also a member of The Open Group Security Forum Steering Committee. Welcome, Mary Ann.

Mary Ann Mezzapelle: I'm glad to be here.

Gardner: We've heard quite a bit here at the conference, and one of the speakers, Andy Mulholland, the Chief Technology Officer at Capgemini, was raising this concept of "outside IT" as an important business imperative. More organizations are looking to do more activities that would have previously been inside the firewall under the purview of IT.

Now, whether it’s software as a service (SaaS), or whether it’s cloud, whether it’s business services from a variety of different providers, more business activities and business processes are being combined with an outside-the-enterprise-firewall entity.

So Jim Hietala, to you. This poses a problem to the traditional IT folks, to the chief security officer, if you have one. Is this notion of going outside the firewall fundamentally a good or bad thing when it comes to security?

Failed strategy

Hietala: It can be either. Talking to security people in large companies, frequently what I hear is that with adoption of some of those services, their policy is either let’s try and block that until we get a grip on how to do it right, or let’s establish a policy that says we just don’t use certain kinds of cloud services. Data I see says that’s really a failed strategy. Adoption is happening whether they embrace it or not.

The real issue is how you do that in a planned, strategic way, as opposed to letting services like Dropbox and other kinds of cloud collaboration services just happen. So it’s really about getting some forethought around how do we do this the right way, picking the right services that meet your security objectives, and going from there.

Gardner: For a moment I thought you were going to say it depends and I'm glad you didn’t, but in a sense that’s what it comes down to. We'll get into that in a little bit more detail, but let’s go around the panel first.

Stuart Boardman, is cloud computing good or bad for security purposes?

Boardman: It’s simply a fact, and it’s something that we need to learn to live with, and I think Jim has covered quite a few of the things that I think are really important.

What I wanted to add to that is what I've noticed through my own work is a lot of enterprise security policies were written before we had cloud, but when we had private web applications that you might call cloud these days, and the policies tend to be directed towards staff’s private use of the cloud.

Then you run into problems, because you read something in policy and if you interpret that as meaning cloud, it means you can’t do it. And if you say it’s not cloud, then you haven’t got any policy about it at all. Enterprises need to sit down and think, "What would it mean to us to make use of cloud services and to ask as well, what are we likely to do with cloud services?"

Gardner: Dave, if you're a cloud provider, you have to be secure or you're dead. You're not going to be in business very long. Is there an added impetus for cloud providers to be somewhat more secure perhaps than enterprises?

Gilmour: It depends on the enterprise that they're actually supplying to. If you're in a heavily regulated industry, you have a different view of what levels of security you need and want, and therefore what you're going to impose contractually on your cloud supplier. That means that the different cloud suppliers are going to have to attack different industries with different levels of security arrangements.

The problem there is that the penalty regimes are always going to say, "Well, if the security lapses, you're going to get off with two months of not paying" or something like that. That kind of attitude isn't going to go in this kind of security.

What I don’t understand is exactly how secure cloud provision is going to be enabled and governed under tight regimes like that.

Gardner: It seems as if we almost have a runaway market. We have things that are happening faster than we've got anything in place to accommodate it, whether it’s at different layers, for different regulatory purposes, and how to price around. We're really in the wild west so far.

Mary Ann, any thoughts about whether this period of shakeout that we're in will provoke market forces so that security is perhaps better managed than it would have been without these sort of dynamic market forces?

An opportunity

Mezzapelle: You're right that there's a differentiation, and there's an opportunity in each of the sections, because it’s a place where you can either have the supplier provide the security for you, if it’s not in a regulated industry. Or, if you're in a regulated industry, you have the option of layering your own security services on top of it, hopefully integrated with it, or embedded with it even better. But you have that opportunity.

Gardner: Jim, we've seen in the public sector, governments recognizing that cloud models could be a benefit to them. They can reduce redundancy. They can control and standardize. They're putting in place some definitions, implementation standards, and so forth. Is the vanguard of correct cloud computing with security in mind being managed by governments at this point?

Hietala: I'd say that they're at the forefront. Some of these shared government services, where they stand up cloud and make it available to lots of different departments in a government, have the ability to do what they want from a security standpoint, not relying on a public provider, and get it right from their perspective and meet their requirements. They then take that consistent service out to lots of departments that may not have had the resources to get IT security right, when they were doing it themselves. So I think you can make a case for that.

Gardner: Stuart, being involved with standards activities yourself, does moving to the cloud provide a better environment for managing, maintaining, instilling, and improving on standards than enterprise by enterprise by enterprise? As I say, we're looking at a larger pool and therefore that strikes me as possibly being a better place to invoke and manage standards.

Boardman: Dana, that's a really good point, and I do agree. Also, in the security field, we have an advantage in the sense that there are quite a lot of standards out there to deal with interoperability, exchange of policy, exchange of credentials, which we can use. If we adopt those, then we've got a much better chance of getting those standards used widely in the cloud world than in an individual enterprise, with an individual supplier, where it’s not negotiation, but "you use my API, and it looks like this."

Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.

Having said that, there are a lot of well-known cloud providers who do not currently support those standards and they need a strong commercial reason to do it. So it’s going to be a question of the balance. Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.

Gardner: We've also seen that cooperation is an important aspect of security, knowing what’s going on on other people's networks, being able to share information about what the threats are, remediation, working to move quickly and comprehensively when there are security issues across different networks.

Is that a case, Dave, where having a cloud environment is a benefit? That is to say more sharing about what’s happening across networks for many companies that are clients or customers of a cloud provider rather than perhaps spotty sharing when it comes to company by company?

Gilmour: There is something to be said for that, Dana. Part of the issue, though, is that companies are individually responsible for their data. They're individually responsible to a regulator or to their clients for their data. The question then becomes that as soon as you start to share a certain aspect of the security, you're de facto sharing the weaknesses as well as the strengths.

So it’s a two-edged sword. One of the problems we have is that until we mature a little bit more, we won’t be able to actually see which side is the sharpest.

Gardner: So our premise that cloud is good and bad for security is holding up, but I'm wondering whether the same things that make you a risk in a private setting -- poor adhesion to standards, no good governance, too many technologies that are not being measured and controlled, not instilling good behavior in your employees and then enforcing that -- wouldn’t this be the same either way? Is it really cloud or not cloud, or is it good security practices or not good security practices? Mary Ann.

No accountability

Mezzapelle: You're right. It’s a little bit of that "garbage in, garbage out," if you don’t have the basic things in place in your enterprise, which means the policies, the governance cycle, the audit, and the tracking, because it doesn’t matter if you don’t measure it and track it, and if there is no business accountability.

David said it -- each individual company is responsible for its own security, but I would say that it’s the business owner that’s responsible for the security, because they're the ones that ultimately have to answer that question for themselves in their own business environment: "Is it enough for what I have to get done? Is the agility more important than the flexibility in getting to some systems or the accessibility for other people, as it is with some of the ubiquitous computing?"

So you're right. If it’s an ugly situation within your enterprise, it’s going to get worse when you do outsourcing, out-tasking, or anything else you want to call within the cloud environment. One of the things that we say is that organizations not only need to know their technology, but they have to get better at relationship management, understanding who their partners are, and being able to negotiate and manage that effectively through a series of relationships, not just transactions.

Gardner: Jim Hietala, it’s almost ironic that if you're an enterprise that doesn’t do security particularly well, moving to the cloud might be an improvement for you. On the other hand, if you're an enterprise that is a crackerjack security organization, going to the cloud might be a step down.

So does this mean that the cloud providers will be sopping up all of the poor practitioners of security out there, probably for the betterment of everyone?

For small to mid-size enterprises, it may be that the cloud service that they're looking at does security a whole lot better than they do

Hietala: You can make that case, and certainly for small to mid-size enterprises, it may be that the cloud service that they're looking at does security a whole lot better than they do. So maybe it raises the floor for a large numbers of companies. That can be true, sure.

Gardner: Another thing we heard today during the opening speeches at the conference was this notion of enterprise transformation and the role of the enterprise architect. One of the things that jumped out at me that was common was this view that data, good data available to everyone, is an imperative, and this is where the businesses want to go.

One of the things that’s been bandied about in cloud computing is that putting data in the cloud is the risk. I think we've moved beyond that. I think that was an oversimplification.

But if data, sharing data, and getting the data to everyone in your organization is so important, it strikes me that cloud component is going to be part of that, especially if we're dealing with business processes across organizations, doing joins, comparing and contrasting data, crunching it and sharing it, making data actually part of the business, a revenue generation activity, all seems prominent and likely.

So to you, Mr. Boardman, what is the issue now with data in the cloud? Is it good, bad, or just the same double-edged sword, and it just depends how you manage and do it?

Boardman: Dana, I don’t know whether we really want to be putting our data in the cloud, so much as putting the access to our data into the cloud. There are all kinds of issues you're going to run up against, as soon as you start putting your source information out into the cloud, not the least privacy and that kind of thing.

A bunch of APIs

What you can do is simply say, "What information do I have that might be interesting to people? If it’s a private cloud in a large organization elsewhere in the organization, how can I make that available to share?" Or maybe it's really going out into public. What a government, for example, can be thinking about is making information services available, not just what you go and get from them that they already published. But “this is the information," a bunch of APIs if you like. I prefer to call them data services, and to make those available.

So, if you do it properly, you have a layer of security in front of your data. You're not letting people come in and do joins across all your tables. You're providing information. That does require you then to engage your users in what is it that they want and what they want to do. Maybe there are people out there who want to take a bit of your information and a bit of somebody else’s and mash it together, provide added value. That’s great. Let’s go for that and not try and answer every possible question in advance.

Gardner: So if I understand, your position is don’t put the data in the cloud, put the pointers to the data that you retain control over. Is that essentially it?

Boardman: In general. Well, put the data in the cloud if you have a very good reason to do it, but if you are sharing your information, no, don’t put it in the cloud.

Gardner: Dave, do you agree with that, or do you think that there is a place in the cloud for some data?

Gilmour: There's definitely a place in the cloud for some data. I get the impression that there is going to drive out of this something like the insurance industry, where you'll have a secondary cloud. You'll have secondary providers who will provide to the front-end providers. They might do things like archiving and that sort of thing.

If you have that situation where your contractual relationship is two steps away, then you have to be very confident and certain of your cloud partner.

Now, if you have that situation where your contractual relationship is two steps away, then you have to be very confident and certain of your cloud partner, and it has to actually therefore encompass a very strong level of governance.

The other issue you have is that you've got then the intersection of your governance requirements with that of the cloud provider’s governance requirements. Therefore you have to have a really strongly -- and I hate to use the word -- architected set of interfaces, so that you can understand how that governance is actually going to operate.

Gardner: Mary Ann, do you see the data available in the cloud as something that’s going to continue, and what if organizations that don’t do security very well? Wouldn’t their data perhaps be safer in a cloud than if they have a poorly managed network?

Mezzapelle: You're right. It makes a difference as to how you approach it. There is data in the cloud and there will continue to be data in the cloud, whether you want it there or not. The best organizations are going to start understanding that they can’t control it that way and that perimeter-like approach that we've been talking about getting away from for the last five or seven years.

So what we want to talk about is data-centric security, where you understand, based on role or context, who is going to access the information and for what reason. I think there is a better opportunity for services like storage, whether it’s for archiving or for near term use.

There are also other services that you don’t want to have to pay for 12 months out of the year, but that you might need independently. For instance, when you're running a marketing campaign, you already share your data with some of your marketing partners. Or if you're doing your payroll, you're sharing that data through some of the national providers.

Data in different places

So there already is a lot of data in a lot of different places, whether you want cloud or not, but the context is, it’s not in your perimeter, under your direct control, all of the time. The better you get at managing it wherever it is specific to the context, the better off you will be.

Gardner: I think it was Jeanne Ross from MIT who said today that the customer data is perhaps the most important, that a full, common, trusted view of customer data is really an important strategic asset for companies. A lot of where the metadata about customers is these days is in these social networks like Facebook. So if Facebook has a fairly good chunk of information about your customers, that’s already in the cloud, it seems to me that this is a slippery slope that we're already halfway down. Is that the case, Jim?

Hietala: I'd agree it’s a slippery slope. That’s the most dangerous data to stick out in a cloud service, if you ask me. If it's personally identifiable information, then you get the privacy concerns that Stuart talked about. So to the extent you're looking at putting that kind of data in a cloud, looking at the cloud service and trying to determine if we can apply some encryption, apply the sensible security controls to ensure that if that data gets loose, you're not ending up in the headlines of the Wall Street Journal.

Gardner: Stuart, thoughts about what's already in the cloud, Facebook? Let's use that as an example. You want to compare and contrast your customer data with what these customers have put up there for everyone to see. How do you think that this goes against your thought of just joins for the cloud?

Boardman: Well, if we are seeing it as a hybrid cloud, the information that you have about your own customers is internal. It could be in a private cloud, whatever, it could be in any secure situation where the access is secure. There's nothing, of course, that would stop you from using information that people put on the Facebook, because it isn't protected by privacy laws, because they have chosen to put it out there themselves, in general.

There is data in the cloud, and we may make use of the cloud subject to the appropriate constraints.

I'm sorry, but I'm not the world’s greatest legal expert, and there may be some privacy laws that say you can't do that, but I think, in general, if people make it publicly available, then there is nothing in that profile to stop it.

It's a question of, if you've got to get data on Facebook, you're doing that via Facebook’s APIs. You can't just go into Facebook and go join some of their tables. So I don’t think that conflicts at all with what I said before. I have to come back to what Mary Ann said. You're right. There is data in the cloud, and we may make use of the cloud subject to the appropriate constraints. My point was more that information is something that we have to provide that provides value, and we should exploit it that way.

Gardner: I want to take a wild guess that Facebook would probably like to sell you the opportunity to join their cloud more deeply, but of course they would run into trouble with the permissions, the access, and the trust of their customers. So there's another whole podcast discussion in that.

Let's go to Dave. You said there will be different levels on a regulatory basis for security. Wouldn’t that also play with data? Wouldn't there be different types of data and therefore a spectrum of security and availability to that data, and we're waiting to see how that shakes out in the market?

Gilmour: You're right. If we come back to the Facebook example, Facebook is data that, even if it's data about our known customers, it's stuff that they have put out there with their will. The data that they give us, they have given to us for a purpose, and it is not for us then to distribute that data or make it available elsewhere. The fact that it may be the same data is not relevant to the discussion.

Three-dimensional solution

That’s where I think we are going to end up with not just one layer or two layers. We're going to end up with a sort of a three-dimensional solution space. We're going to work out exactly which chunk we're going to handle in which way. There will be significant areas where these things crossover.

The other thing we shouldn’t forget is that data includes our software, and that’s something that people forget. Software nowadays is out in the cloud, under current ways of running things, and you don't even always know where it's executing. So if you don’t know where your software is executing, how do you know where your data is?

Gardner: That raises the regulatory issues about some requirements for data to reside in some physical location within some boundary. How is that practically managed? It seems like a whole big can of worms, but nonetheless, the top is off the can and we're already into it.

Gilmour: It's going to have to be just handled one way or another, and I think it's going to be one of these things where it's going to be shades of gray, because it cannot be black and white. The question is going to be, what's the threshold shade of gray that's acceptable.

Gardner: Mary Ann, to this notion of the different layers of security for different types of data, is there anything happening in the market that you're aware of that’s already moving in that direction, either from a structured basis or ad hoc, organic in the marketplace, do we have a taxonomy of data types yet? How are we progressing in that direction?

That's the importance of something like an enterprise architecture that can help you understand that you're not just talking about the technology components, but the information.

Mezzapelle: The experience that I have is mostly in some of the business frameworks for particular industries, like healthcare and what it takes to comply with the HIPAA regulation, or in the financial services industry, or in consumer products where you have to comply with the PCI regulations.

There has continued to be an issue around information lifecycle management, which is categorizing your data. Within a company, you might have had a document that you coded private, confidential, top secret, or whatever. So you might have had three or four levels for a document.

You've already talked about how complex it's going to be as you move into trying understand, not only for that data, that the name Mary Ann Mezzapelle, happens to be in five or six different business systems over a 100 instances around the world.

That's the importance of something like an enterprise architecture that can help you understand that you're not just talking about the technology components, but the information, what they mean, and how they are prioritized or critical to the business, which sometimes comes up in a business continuity plan from a system point of view. That's where I've advised clients on where they might start looking to how they connect the business criticality with a piece of information.

One last thing. Those regulations don't necessarily mean that you're secure. It makes for good basic health, but that doesn't mean that it's ultimately protected.You have to do a risk assessment based on your own environment and the bad actors that you expect and the priorities based on that.

Leaving security to the end

Boardman: I just wanted to pick up here, because Mary Ann spoke about enterprise architecture. One of my bugbears -- and I call myself an enterprise architect -- is that, we have a terrible habit of leaving security to the end. We don't architect security into our enterprise architecture. It's a techie thing, and we'll fix that at the back. There are also people in the security world who are techies and they think that they will do it that way as well.

I don’t know how long ago it was published, but there was an activity to look at bringing the SABSA Methodology from security together with TOGAF. There was a white paper published a few weeks ago.

The Open Group has been doing some really good work on bringing security right in to the process of EA.

Mezzapelle: Jim, you may want to talk about the work that we're going to do about integrating the security part of the framework into TOGAF.

Hietala: In the next version of TOGAF, which has already started, there will be a whole emphasis on making sure that security is better represented in some of the TOGAF guidance. That's ongoing work here at The Open Group.

Gardner: As I listen, it sounds as if the in the cloud or out of the cloud security continuum is perhaps the wrong way to look at it. Somebody, I think it was Mary Ann, mentioned lifecycle. If you have a lifecycle approach to services and to data, then you'll have a way in which you can approach data uses for certain instances, certain requirements, and that would then apply to a variety of different private cloud, public cloud, hybrid cloud.

You may come to the conclusion in some cases that the risk is too high and the mitigation too expensive.

Is that where we need to go, perhaps have more of this lifecycle approach to services and data that would accommodate any number of different scenarios in terms of hosting access and availability? The cloud seems inevitable. So what we really need to focus on are the services in the data. Is that fair, Stuart?

Boardman: That’s part of it. That needs to be tied in with the risk-based approach. So if we have done that, we can then pick up on that information and we can look at a concrete situation, what have we got here, what do we want to do with it. We can then compare that information. We can assess our risk based on what we have done around the lifecycle. We can understand specifically what we might be thinking about putting where and come up with a sensible risk approach.

You may come to the conclusion in some cases that the risk is too high and the mitigation too expensive. In others, you may say, no, because we understand our information and we understand the risk situation, we can live with that, it's fine.

Gardner: It sounds as if we are coming at this as an underwriter for an insurance company. Is that perhaps the way to look at it, Dave?

Current risk

Gilmour: That’s eminently sensible. You have the mortality tables, you have the current risk, and you just work the two together and work out what's the premium. That's probably a very good paradigm to give us guidance actually as to how we should approach intellectually the problem.

Gardner: Mary Ann, what do you think?

Mezzapelle: One of the problems is that we don’t have those actuarial tables yet. That's a little bit of an issue for a lot of people when they talk about, "I've got $100 to spend on security. Where am I going to spend it this year? Am I going to spend it on firewalls? Am I going to spend it on information lifecycle management assessment? What am I going to spend it on?" That’s some of the research that we have been doing at HP is to try to get that into something that’s more of a statistic.

So, when you have a particular project that does a certain kind of security implementation, you can see what the business return on it is and how it actually lowers risk. We found that it’s better to spend your money on getting a better system to patch your systems than it is to do some other kind of content filtering or something like that.

Gardner: Perhaps what we need is the equivalent of an Underwriters Laboratories (UL) for permeable organizational IT assets, where the stamp of approval comes in high or low. Then, you could get you insurance insight, maybe something for The Open Group to look into. Any thoughts about how standards and a consortium approach would come into that?

Hietala: I don’t know about the underwriter’s lab for all security things. That sounds like a risky proposition.

Gardner: It could be fairly popular and remunerative.

Hietala: It could.

Mezzapelle: An unending job.

Hietala: I will say we have one active project in the Security Forum that is looking at trying to allow organizations to measure and understand risk dependencies that they inherit from other organizations.

At the end of the day, you're always accountable for the data that you hold. It doesn’t matter where you put it and how many other parties they subcontract that out to.

So if I'm outsourcing a function to XYZ corporation, being able to measure what risk am I inheriting from them by virtue of them doing some IT processing for me, could be a cloud provider or it could be somebody doing a business process for me, whatever. So there's work going on there.

I heard just last week about a NSF funded project here in the U.S. to do the same sort of thing, to look at trying to measure risk in a predictable way. So there are things going on out there.

Gardner: We have to wrap up, I'm afraid, but Stuart, it seems as if currently it’s the larger public cloud provider, something of Amazon and Google and among others that might be playing the role of all of these entities we are talking about. They are their own self-insurer. They are their own underwriter. They are their own risk assessor, like an underwriter’s lab. Do you think that's going to continue to be the case?

Boardman: No, I think that as cloud adoption increases, you will have a greater weight of consumer organizations who will need to do that themselves. You look at the question that it’s not just responsibility, but it's also accountability. At the end of the day, you're always accountable for the data that you hold. It doesn’t matter where you put it and how many other parties they subcontract that out to.

The weight will change

So there's a need to have that, and as the adoption increases, there's less fear and more, "Let’s do something about it." Then, I think the weight will change.

Plus, of course, there are other parties coming into this world, the world that Amazon has created. I'd imagine that HP is probably one of them as well, but all the big names in IT are moving in here, and I suspect that also for those companies there's a differentiator in knowing how to do this properly in their history of enterprise involvement.

So yeah, I think it will change. That's no offense to Amazon, etc. I just think that the balance is going to change.

Gardner: Because we'll get more of an ecosystem of accountability. Is that fair?

Gilmour: Yes. I think that's how it has to go. The question that then arises is, who is going to police the policeman and how is that going to happen? Every company is going to be using the cloud. Even the cloud suppliers are using the cloud. So how is it going to work? It’s one of these never-decreasing circles.

There's going to be a convergence of the consumer-driven, cloud-based model, which Amazon and Google represent, with an enterprise approach that corporations like HP are representing.

Gardner: Last word to you, Mary Ann. Do you see an opportunity here for something new, something quite unexpected, to happen in this market? There are so many questions. Is there a bigger shoe to fall at some point?

Mezzapelle: At this point, I think it’s going to be more evolution than revolution, but I'm also one of the people who've been in that part of the business -- IT services -- for the last 20 years and have seen it morph in a little bit different way.

Stuart is right that there's going to be a convergence of the consumer-driven, cloud-based model, which Amazon and Google represent, with an enterprise approach that corporations like HP are representing. It’s somewhere in the middle where we can bring the service level commitments, the options for security, the options for other things that make it more reliable and risk-averse for large corporations to take advantage of it.

Gardner: Well, great. We have to leave it there. I'd like to thank our panel. We've been joined by Jim Hietala, Vice President of Security for The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And Stuart Boardman, Senior Business Consultant at KPN. Thank you, Stuart.

Boardman: It was a pleasure.

Gardner: And Dave Gilmour, an Associate at Metaplexity Associates, as well as a Director at PreterLex. Thank you.

Gilmour: Thanks Dana.

Gardner: And last, Mary Ann Mezzapelle, Strategist for Enterprise Services and Chief Technologist for Security Services at HP. Thank you.

Mezzapelle: Thank you.

Gardner: You've been listening to a sponsored podcast discussion in conjunction with The Open Group Conference here in San Francisco, the week of January 30, 2012. I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for joining, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

A sponsored podcast discussion from The Open Group Conference in San Francisco on what the burgeoning cloud movement means for enterprise security. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and Business
• San Francisco Conference observations: Enterprise transformation, enterprise architecture, SOA and a splash of cloud computing
  
• MIT's Ross on how enterprise architecture and IT more than ever lead to business transformation
• Overlapping criminal and state threats pose growing cyber security threat to global Internet commerce, says Open Group speaker
• Enterprise architects play key role in transformation, data analytics value -- but they need to act fast, say Open Group speakers
  
• Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and Impact of Business Architecture