Security, Transactions and Open Standards

David PetraitisEuropean Representative

David PetraitisEuropean Representative

CISO Executive Summit, CISO Executive Summit, Geneva, 16 June 2004Geneva, 16 June 2004 David.Petraitis@oasis-open.org

Future Shock – “De-perimiterization” Why do standards matter? What is a “standard”; how can you tell? Service-oriented architectures, web services

and e-business Key directions in Web Services Standards What your company can do

Open Standards and the role of the CISO

The CISO has to deal with “Future Shock” daily!

Orderly business systems suffer…

De-perimiterization

A smooth sailing business environment is transformed…

Into a fight for your business survival

It’s enough to make the CISO want to…

Why then do standards matter?

“It is necessary that those between whom commerce is carried on should understand

one another.”

Voltaire, Philosophical Dictionary, 1752

Why do standards matter for e-business?

Businesses require expansion of the value chain into unlimited, de-perimiterized extranets

Support of multiple platforms is a business necessity

Must support multiple languages, taxonomies, semantics and business processes

But… Normalizing data, processes and users costs

time and money

Why do standards matter?Risk Reduction for e-commerce

Interoperable standardsDiversity of business partners and technologies

Unstable business and technical requirements

Persistent technical base with stable versioning

Evolving and converging standards

New and emerging business requirements

Need for long term support

Reliable, fixed terms of availability

Strategies for Companies in e-Business Standards

Dictate

Submit Join

MarketPower

HeterogeneityHomogeneity

Adopt

“Without standards, a technology cannot become

ubiquitous, particularly when it is part of a larger network.”

The Economist, 8 May 2003

What is a “standard” and how can you tell?

Anything that a vendor publishes? Or on which a few vendors agree?

They may be “specifications” Some call them “de facto” standards But they are not necessarily open

standards Open standards are distinguishable:

Published, clear rules Level playing field with public input Transparent operations Transparent output

What is a Standard?

What’s an “Open Standard”?An open standard is: publicly available in stable, persistent versions developed and approved under a published

process open to input: public comments, public archives,

no NDAs subject to explicit, disclosed IPR terms

Anything else is to some extent proprietary: This is a policy distinction, not a pejorative See the US, EU, WTO governmental & regulatory

definitions of “standards”

Regulatory mandates for standards

Increasingly, it matters to government buyers, users and regulators whether standards are “real” standards.

WTO Technical Barriers to Trade Agreement, Annex 3:

http://www.wto.org/english/docs_e/legal_e/final_e.htm. National criteria, such as in the U.S. gov’t:

http://www.whitehouse.gov/omb/circulars/a119/a119.html. These rules focus on desirable process attributes:

public process, public archives, open to comment without NDA or noncompete restrictions, etc.

OASIS is a member-led, international nonprofit standards consortium concentrating on structured information and global e-business standards

Members of OASIS are Vendors, users, academics and governments Organizations, individuals and industry groups

Best known for e-business standards such as

• UDDI• SAML• ebXML

• WS-Security• WSRP• WSRM

• SPML• XACML• UBL

Host for key security standards projects also including

• PKI TC • DSS • DSML

OASIS e-Business since 1993

DocBook v4.1 DSML v2 ebXML RIM v2 ebXML RS v2 ebXML MSG v2 ebXML CPPA v2 SAML v1.0 XACML v1.0

UDDI v2 SAML v1.1 WSRP v1 XCBF v1.1 (Biometrics) SPML v1.0 (Provisioning) CAP v1.0 (Emergency TC) WS-Security v1.0 AVDL v1.0

About 60 approved Committee DraftsAbout 60 approved Committee Drafts

16 current OASIS Standards16 current OASIS Standards

Standards convergence and interoperability OASIS encourages and structures bilateral technical

liaisons OASIS participates in and coordinates with many other

standards and industry coordination efforts, e.g., ISO / IEC / ITU / ECE e-Business MoU ISO Category-A liaisons with TC154, various JTC1

Subcommittees W3C and OASIS management meetings Scoping and cooperative planning with GGF, DMTF,

RosettaNet, EAN/UCC, OAGi, AIAG, CIDX, PIDX, etc ...

Standards convergence and interoperability (cont.) OASIS puts software vendors, industry adopters,

small developers and academics into the same conversation on accessible terms

OASIS permits members to define specification projects that address their own needs: loose coupling, but coupling

Strong interoperability bias: Standards are expected to declare their dependencies, modularity and composability

This results in a market-based architecture based on user requirements, instead of a top-down map

To be successful, a standard must be used Adoption is most likely when the standard is

Freely accessible Meets the needs of a large number of adopters Flexible enough to change as needs change Produces consistent results Checkable for conformance, compatibility Implemented and thus practically available

Sanction and traction both matter

Standard Adoption

Mar

ket A

dopt

ion

Open Standardization

Traction

SanctionProprietary JCV Consortia SDO

SGMLISO

XMLW3C

SOAP v1.1 SOAP v1.2W3C

UDDI v2,3UDDI.org

WSDL v1.2W3C ebXML(x4)

OASIS

WSDL v1.1

WS-Security

BPEL4WS WS-BPELOASIS

WS-SOASIS

UDDI v2,3OASIS

ISO15000

Service-oriented architectures, web services and e-business

Common transport (HTTP, etc.)Common transport (HTTP, etc.)

Common language (XML)Common language (XML)

Current OASIS alpha model for mapping e-Business work

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

Work in progress Loosely coupled Approachable to

end users Driven by self-

description

Common transport (HTTP, etc.)

Common language (XML)

Each specification is a dot

Service Discovery

Service DescriptionSecurity &

Access

Messaging

DRAFT

UDDI

ebXML RegRep

Orchestration & Management

Data Content

Common transport (HTTP, etc.)

Common language (XML)

Some projects issue more than one spec

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

DRAFT

Data Content

Common transport (HTTP, etc.)

Common language (XML)

Specs are at different stages

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

DRAFT

Approval levels

Pre-approval

Committee Draft

OASIS Standard

Data Content

Common transport (HTTP, etc.)

Common language (XML)

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

DRAFT

Approval levels

OASIS Work

(May 2004)

Common transport (HTTP, etc.)

Common language (XML)

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

ebXML CPPA

HumanML, UIML, WSRP

UDDI

DITA*, EntityRes, RELAX-NG, Topic Maps (3), XDI, XRI

ebXML MSG, WS-Rel.

[Conformance], ebXML IIC, XSLT Conf,

[Auto Repair], AVDL, eGov, Election, eProc, Emerg, Legal XML(7), Materials, PLCS, PPS, TaxML, WAS

ebXML RegRep

DRAFT

Approval levels

FWSI, TransWS, BCM, ebSOA*

CIQ, DocBook, OpenOffice, UBL, XLIFF

* New TCs

DSS, PKI, SAML, WSS, XCBF

[DSML], RLTC, XACML, SPML

WSDM, WSRF*, WSN*

ASAP, BTP, ebXML-BP, WSBPEL, WSCAF

CAM

Multiple standards and methods may co-exist

Multiple co-existing standards:

Simpler More complex

Lightweight code Heavyweight code, more functionality

Easier to tool, deploy Bigger tools, higher cost

Loose coupling to other methods More exclusive

Limited use case Highly scalable

The method you choose may depend on your needs

Key directions in Web Services security

Common transport (HTTP, etc.)Common transport (HTTP, etc.)

Common language (XML)Common language (XML)

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

Web Services Security

Common transport (HTTP, etc.)Common transport (HTTP, etc.)

Common language (XML)Common language (XML)

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

DSS, PKI, SAML, WSS, XCBF

[DSML], RLTC, XACML, SPML

WSDM, WSRF, WSN

ASAP, BTP, ebXML-BP, WSBPEL, WSCAF

CAM

Web Services security Most e-business implementations require

a traceable, auditable, bookable level of assurance when data is exchanged

IT operations demand “transactional” level of reliable functionality is demanded, whether it’s an economic event (booking a sale) or a pure information exchange

Dealings between divisions often need security and reliability as much as deals between companies

Security: function by function

Identity authentication Encryption and protection

against interception Control of access and authority

Identity authentication

The latest e-business security standards implement the next generation of identity deployment

In the 1990’s, PKI assumed a universal network of official certification authorities

Newer federated / distributed identity models permit identity certification to be decentralized and shared among service providers and existing registrars

• SAML • WS-Security • XCBF

Identity authentication SAML (Security Assertion Markup Language )

A standard way to convey identity and authorization data

Winner of PC Magazine’s Technology Excellence Award in 2002 and Digital ID World 2003 award for innovation in 2003

SAML 1.0 approved as an OASIS Standard in Nov. 2002; SAML 1.1 in Aug. 2003

SAML 2.0 out soon

Identity authentication WS-Security (Web Services Security)

The standard method for attaching security data to a web services message

Wide support in web services toolmaking Profiles (modules) completed or in

development for:

WS-Security 2004 1.0 suite approved as an OASIS Standard in March 2004

• Username-token/ password pairs

• X.509 PKI

• SAML• Rights expression

languages

Identity authentication XCBF

(eXtensible Common Biometric Format) Method for conveying biometric identity

data such as retina scans and fingerprints Coordinated with other world efforts,

including ITU-T standards and the ANSI X9.84 banking industry biometrics initiative

Expect to see more tools and devices commercially deployed soon

XCBF 1.1 approved as an OASIS Standard in August 2003

Encryption and protection against interception & intrusion

A key problem with encrypted messages travelling over a shared or public network: if you encrypt the wrong bits, it doesn’t arrive, or the recipient can’t process it

Shared and automated methods for managing security require a shared vocabulary about security weaknesses and risks

• DSS • PKI TC

• AVDL • WAS

Encryption and protection against interception & intrusion DSS

(Digital Signature Services)

Develop methods for processing production and consumption of digital signatures

Project underway

PKI TC(Public Key

Infrastructure Technical Committee)

Promotion and research regarding industry use of PKI digital signatures and practical obstacles to deployment

Project underway

Encryption and protection against interception & intrusion AVDL

(Application Vulnerability Description Lang.)

Uniform method for describing appl. security vulnerabilities

AVDL 1.0 approved as an OASIS Standard in June 2004

WAS(Web Application

Security) Threat model and

classification scheme for web security vulnerabilities

WAS 1.0 is under development

Network Magazine started a petition campaign to support wide deployment of AVDL and WAS: http://www.networkmagazine.com/watchdog/avdl.jhtml

Control of access and authority In transactional information exchanges,

you often must apply access lists, directories of recipients, levels of authority, and access policies

So that you know who gets what, and who should get it

• XACML • SPML

Control of access and authority XACML

(Access Control Markup Language)

Method for conveying and applying data access policies and controls

Demo’ed at XML2003 in Philadelphia

XACML 1.0 approved as an OASIS Standard in Feb. 2003

Role-based access profile issued in May 2004

SPML(Service Provisioning

Markup Language) Disseminates and

leverages directories and access lists, such as employee authorizations

Demo’ed at Burton Catalyst 2003 in SF

SPML 1.0 approved as an OASIS Standard -- August 2003

What should your company be doing?

Reducing RiskReducing Risk in new e-business technologies

Avoid reinventing the wheel Stay current with emerging technologies

Influence industry direction Ensure consideration of own needs

Realization of interoperability and network effects Reduce development cost/time

save development on new technologies share cost/time with other participants

Specify standards compliance as a risk reduction strategy

What can my company do? Participate

Understand the ground rules Contribute actively

Or… Be a good observerIn any case… Make your needs known

Use cases, functions, platforms, IPR, availability, tooling

Be pragmatic: standardization is a voluntary process

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

Example: The OASIS Disease Control Interoperability Demo at XML 2003

UBL

XForms

ebXML BP

ebXML Registry

ebXML MSG

ebXML CPP/A

XACML

Users are building working implementations from standards

today

Users are building working implementations today

Public health - US Centers for Disease Control

Financial services industry - Fidelity Automobile industry - AIAG Electronics industry - RosettaNet Chemicals industry - CIDX Utilities - Electricity Supply Board of

IrelandSee the various presentations made at the April 2004 OASIS Symposium on Reliable Infrastructures:

http://www.oasis-open.org/events/symposium/ pre_program.php

Security, Transactions and Open StandardsSecurity, Transactions and Open Standards

David PetraitisEuropean RepresentativeOASIS

David PetraitisEuropean RepresentativeOASISDavid.Petraitis@oasis-open.org