security, transactions and open standards david petraitis european representative david petraitis...
TRANSCRIPT
Security, Transactions and Open Standards
David PetraitisEuropean Representative
David PetraitisEuropean Representative
CISO Executive Summit, CISO Executive Summit, Geneva, 16 June 2004Geneva, 16 June 2004 [email protected]
Future Shock – “De-perimiterization” Why do standards matter? What is a “standard”; how can you tell? Service-oriented architectures, web services
and e-business Key directions in Web Services Standards What your company can do
Open Standards and the role of the CISO
The CISO has to deal with “Future Shock” daily!
Orderly business systems suffer…
De-perimiterization
A smooth sailing business environment is transformed…
Into a fight for your business survival
It’s enough to make the CISO want to…
Why then do standards matter?
“It is necessary that those between whom commerce is carried on should understand
one another.”
Voltaire, Philosophical Dictionary, 1752
Why do standards matter for e-business?
Businesses require expansion of the value chain into unlimited, de-perimiterized extranets
Support of multiple platforms is a business necessity
Must support multiple languages, taxonomies, semantics and business processes
But… Normalizing data, processes and users costs
time and money
Why do standards matter?Risk Reduction for e-commerce
Interoperable standardsDiversity of business partners and technologies
Unstable business and technical requirements
Persistent technical base with stable versioning
Evolving and converging standards
New and emerging business requirements
Need for long term support
Reliable, fixed terms of availability
Strategies for Companies in e-Business Standards
Dictate
Submit Join
MarketPower
HeterogeneityHomogeneity
Adopt
“Without standards, a technology cannot become
ubiquitous, particularly when it is part of a larger network.”
The Economist, 8 May 2003
What is a “standard” and how can you tell?
Anything that a vendor publishes? Or on which a few vendors agree?
They may be “specifications” Some call them “de facto” standards But they are not necessarily open
standards Open standards are distinguishable:
Published, clear rules Level playing field with public input Transparent operations Transparent output
What is a Standard?
What’s an “Open Standard”?An open standard is: publicly available in stable, persistent versions developed and approved under a published
process open to input: public comments, public archives,
no NDAs subject to explicit, disclosed IPR terms
Anything else is to some extent proprietary: This is a policy distinction, not a pejorative See the US, EU, WTO governmental & regulatory
definitions of “standards”
Regulatory mandates for standards
Increasingly, it matters to government buyers, users and regulators whether standards are “real” standards.
WTO Technical Barriers to Trade Agreement, Annex 3:
http://www.wto.org/english/docs_e/legal_e/final_e.htm. National criteria, such as in the U.S. gov’t:
http://www.whitehouse.gov/omb/circulars/a119/a119.html. These rules focus on desirable process attributes:
public process, public archives, open to comment without NDA or noncompete restrictions, etc.
OASIS is a member-led, international nonprofit standards consortium concentrating on structured information and global e-business standards
Members of OASIS are Vendors, users, academics and governments Organizations, individuals and industry groups
Best known for e-business standards such as
• UDDI• SAML• ebXML
• WS-Security• WSRP• WSRM
• SPML• XACML• UBL
Host for key security standards projects also including
• PKI TC • DSS • DSML
OASIS e-Business since 1993
DocBook v4.1 DSML v2 ebXML RIM v2 ebXML RS v2 ebXML MSG v2 ebXML CPPA v2 SAML v1.0 XACML v1.0
UDDI v2 SAML v1.1 WSRP v1 XCBF v1.1 (Biometrics) SPML v1.0 (Provisioning) CAP v1.0 (Emergency TC) WS-Security v1.0 AVDL v1.0
About 60 approved Committee DraftsAbout 60 approved Committee Drafts
16 current OASIS Standards16 current OASIS Standards
Standards convergence and interoperability OASIS encourages and structures bilateral technical
liaisons OASIS participates in and coordinates with many other
standards and industry coordination efforts, e.g., ISO / IEC / ITU / ECE e-Business MoU ISO Category-A liaisons with TC154, various JTC1
Subcommittees W3C and OASIS management meetings Scoping and cooperative planning with GGF, DMTF,
RosettaNet, EAN/UCC, OAGi, AIAG, CIDX, PIDX, etc ...
Standards convergence and interoperability (cont.) OASIS puts software vendors, industry adopters,
small developers and academics into the same conversation on accessible terms
OASIS permits members to define specification projects that address their own needs: loose coupling, but coupling
Strong interoperability bias: Standards are expected to declare their dependencies, modularity and composability
This results in a market-based architecture based on user requirements, instead of a top-down map
To be successful, a standard must be used Adoption is most likely when the standard is
Freely accessible Meets the needs of a large number of adopters Flexible enough to change as needs change Produces consistent results Checkable for conformance, compatibility Implemented and thus practically available
Sanction and traction both matter
Standard Adoption
Mar
ket A
dopt
ion
Open Standardization
Traction
SanctionProprietary JCV Consortia SDO
SGMLISO
XMLW3C
SOAP v1.1 SOAP v1.2W3C
UDDI v2,3UDDI.org
WSDL v1.2W3C ebXML(x4)
OASIS
WSDL v1.1
WS-Security
BPEL4WS WS-BPELOASIS
WS-SOASIS
UDDI v2,3OASIS
ISO15000
Service-oriented architectures, web services and e-business
Common transport (HTTP, etc.)Common transport (HTTP, etc.)
Common language (XML)Common language (XML)
Current OASIS alpha model for mapping e-Business work
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
Work in progress Loosely coupled Approachable to
end users Driven by self-
description
Common transport (HTTP, etc.)
Common language (XML)
Each specification is a dot
Service Discovery
Service DescriptionSecurity &
Access
Messaging
DRAFT
UDDI
ebXML RegRep
Orchestration & Management
Data Content
Common transport (HTTP, etc.)
Common language (XML)
Some projects issue more than one spec
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
DRAFT
Data Content
Common transport (HTTP, etc.)
Common language (XML)
Specs are at different stages
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
DRAFT
Approval levels
Pre-approval
Committee Draft
OASIS Standard
Data Content
Common transport (HTTP, etc.)
Common language (XML)
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
DRAFT
Approval levels
OASIS Work
(May 2004)
Common transport (HTTP, etc.)
Common language (XML)
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
ebXML CPPA
HumanML, UIML, WSRP
UDDI
DITA*, EntityRes, RELAX-NG, Topic Maps (3), XDI, XRI
ebXML MSG, WS-Rel.
[Conformance], ebXML IIC, XSLT Conf,
[Auto Repair], AVDL, eGov, Election, eProc, Emerg, Legal XML(7), Materials, PLCS, PPS, TaxML, WAS
ebXML RegRep
DRAFT
Approval levels
FWSI, TransWS, BCM, ebSOA*
CIQ, DocBook, OpenOffice, UBL, XLIFF
* New TCs
DSS, PKI, SAML, WSS, XCBF
[DSML], RLTC, XACML, SPML
WSDM, WSRF*, WSN*
ASAP, BTP, ebXML-BP, WSBPEL, WSCAF
CAM
Multiple standards and methods may co-exist
Multiple co-existing standards:
Simpler More complex
Lightweight code Heavyweight code, more functionality
Easier to tool, deploy Bigger tools, higher cost
Loose coupling to other methods More exclusive
Limited use case Highly scalable
The method you choose may depend on your needs
Key directions in Web Services security
Common transport (HTTP, etc.)Common transport (HTTP, etc.)
Common language (XML)Common language (XML)
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
Web Services Security
Common transport (HTTP, etc.)Common transport (HTTP, etc.)
Common language (XML)Common language (XML)
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
DSS, PKI, SAML, WSS, XCBF
[DSML], RLTC, XACML, SPML
WSDM, WSRF, WSN
ASAP, BTP, ebXML-BP, WSBPEL, WSCAF
CAM
Web Services security Most e-business implementations require
a traceable, auditable, bookable level of assurance when data is exchanged
IT operations demand “transactional” level of reliable functionality is demanded, whether it’s an economic event (booking a sale) or a pure information exchange
Dealings between divisions often need security and reliability as much as deals between companies
Security: function by function
Identity authentication Encryption and protection
against interception Control of access and authority
Identity authentication
The latest e-business security standards implement the next generation of identity deployment
In the 1990’s, PKI assumed a universal network of official certification authorities
Newer federated / distributed identity models permit identity certification to be decentralized and shared among service providers and existing registrars
• SAML • WS-Security • XCBF
Identity authentication SAML (Security Assertion Markup Language )
A standard way to convey identity and authorization data
Winner of PC Magazine’s Technology Excellence Award in 2002 and Digital ID World 2003 award for innovation in 2003
SAML 1.0 approved as an OASIS Standard in Nov. 2002; SAML 1.1 in Aug. 2003
SAML 2.0 out soon
Identity authentication WS-Security (Web Services Security)
The standard method for attaching security data to a web services message
Wide support in web services toolmaking Profiles (modules) completed or in
development for:
WS-Security 2004 1.0 suite approved as an OASIS Standard in March 2004
• Username-token/ password pairs
• X.509 PKI
• SAML• Rights expression
languages
Identity authentication XCBF
(eXtensible Common Biometric Format) Method for conveying biometric identity
data such as retina scans and fingerprints Coordinated with other world efforts,
including ITU-T standards and the ANSI X9.84 banking industry biometrics initiative
Expect to see more tools and devices commercially deployed soon
XCBF 1.1 approved as an OASIS Standard in August 2003
Encryption and protection against interception & intrusion
A key problem with encrypted messages travelling over a shared or public network: if you encrypt the wrong bits, it doesn’t arrive, or the recipient can’t process it
Shared and automated methods for managing security require a shared vocabulary about security weaknesses and risks
• DSS • PKI TC
• AVDL • WAS
Encryption and protection against interception & intrusion DSS
(Digital Signature Services)
Develop methods for processing production and consumption of digital signatures
Project underway
PKI TC(Public Key
Infrastructure Technical Committee)
Promotion and research regarding industry use of PKI digital signatures and practical obstacles to deployment
Project underway
Encryption and protection against interception & intrusion AVDL
(Application Vulnerability Description Lang.)
Uniform method for describing appl. security vulnerabilities
AVDL 1.0 approved as an OASIS Standard in June 2004
WAS(Web Application
Security) Threat model and
classification scheme for web security vulnerabilities
WAS 1.0 is under development
Network Magazine started a petition campaign to support wide deployment of AVDL and WAS: http://www.networkmagazine.com/watchdog/avdl.jhtml
Control of access and authority In transactional information exchanges,
you often must apply access lists, directories of recipients, levels of authority, and access policies
So that you know who gets what, and who should get it
• XACML • SPML
Control of access and authority XACML
(Access Control Markup Language)
Method for conveying and applying data access policies and controls
Demo’ed at XML2003 in Philadelphia
XACML 1.0 approved as an OASIS Standard in Feb. 2003
Role-based access profile issued in May 2004
SPML(Service Provisioning
Markup Language) Disseminates and
leverages directories and access lists, such as employee authorizations
Demo’ed at Burton Catalyst 2003 in SF
SPML 1.0 approved as an OASIS Standard -- August 2003
What should your company be doing?
Reducing RiskReducing Risk in new e-business technologies
Avoid reinventing the wheel Stay current with emerging technologies
Influence industry direction Ensure consideration of own needs
Realization of interoperability and network effects Reduce development cost/time
save development on new technologies share cost/time with other participants
Specify standards compliance as a risk reduction strategy
What can my company do? Participate
Understand the ground rules Contribute actively
Or… Be a good observerIn any case… Make your needs known
Use cases, functions, platforms, IPR, availability, tooling
Be pragmatic: standardization is a voluntary process
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
Example: The OASIS Disease Control Interoperability Demo at XML 2003
UBL
XForms
ebXML BP
ebXML Registry
ebXML MSG
ebXML CPP/A
XACML
Users are building working implementations from standards
today
Users are building working implementations today
Public health - US Centers for Disease Control
Financial services industry - Fidelity Automobile industry - AIAG Electronics industry - RosettaNet Chemicals industry - CIDX Utilities - Electricity Supply Board of
IrelandSee the various presentations made at the April 2004 OASIS Symposium on Reliable Infrastructures:
http://www.oasis-open.org/events/symposium/ pre_program.php
Security, Transactions and Open StandardsSecurity, Transactions and Open Standards
David PetraitisEuropean RepresentativeOASIS
David PetraitisEuropean [email protected]