Berlin 6 Open Access Conference: Christian Zier

1,357 views

Published on

www.berlin6.org

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,357
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Berlin 6 Open Access Conference: Christian Zier

  1. 1. Open Document Exchange Formats: Security, Protection & Experiences Christian Zier Federal Office for Information Security Berlin6 Open Access Conference 12.11.2008, Düsseldorf
  2. 2. Agenda ➢ My place of work ➢ Standards and Open Standards ➢ Open Document Exchange Formats ➢ Security and Protection ➢ ODF and OOXML ➢ Migration at the BSI
  3. 3. My place of work: BSI  Federal Office for Information Security (Bonn, Germany)  Federal public agency within the area of responsibility of the Federal Ministry for the Interior  Founded in 1991 unique as a public agency in comparison to other European establishments  Staff: around 460 employees  Budget: 52 million € Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 3
  4. 4. Focus of activities  Internet security  Secure e-government  IT baseline protection  Cryptographic innovation  Biometrics  Security from eavesdropping  Certification and approval  Protection of critical infrastructure  Awareness campaign on IT security  National / international security co-operation Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 4
  5. 5. Standards  British Standards Institute:  publicly available technical document  developed in cooperation with interested parties  based on scientific results and technical experiences  intention is to improve the public welfare  Subsystems can communicate via standardized interfaces  Basis for interoperable products  Promote competition between implementations  Multiple competing standards for the same purpose question the meaning of standards Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 6
  6. 6. Open Standards  Independent of implementations and manufacturers  Competition between implementations, not standards  Increases interoperability, avoids vendor lock-ins  Facilitates developement of independent + FOSS  Ensures future-proof access to archived data  Makes sure that authors can acess their own documents  There exist various definitions  Standard has to be a common denominator → extensible to additional features Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 7
  7. 7. Open Document Exchange Formats Open document exchange formats are  independent  developed in an open process  sufficiently documented Advantages of open document exchange formats:  enhance competition and software diversity  increase interoperability and automation  enhance adaptability  ensure archive security & guarantee future proof  extensible to additional features Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 8
  8. 8. Open Document Exchange Formats contd.  Authors retain access to and control over their documents  E-Government needs ODEF for internal / external workflows, ... and secure documents  Process to Open Document Exchange Formats: Not a question of if, it´s a question of how! Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 9
  9. 9. Security and Protection  Attacks on IT-Systems increasingly via manipulated binary office documents  Attacks are performed by well organized groups with good technical knowledge.  For protection, we need to inspect documents to detect potentially malicious software (binary code)  In case of critical vulnerability protection might imply blocking all documents of proprietary standard Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 10
  10. 10. Security and Protection contd.  ODEF are well structured and meet the requirements:  Structure allows for complete, transparent analyses  Detection of malicious code strongly improved  Possibilities to hide malicious code strongly reduced  Efficient isolation of potentially dangerous code (e.g. macros, pictures, videos ...)  Suspicious content can be filtered out without necessarily losing the information of the entire document Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 11
  11. 11. ODF (ISO 26300)  Developed by Sun Microsystems and OASIS  Many idependent implementations (OO, Koffice, AbiWord)  Meets security requirements of eGovernment: structured format, can be scrutinised  Has been examined and tested  Possibility to directly access and edit the XML-files  Macros uniquely identified with tags  No definition for a mathematical formula language reduces interoperability. Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 12
  12. 12. OOXML (ISO 29500)  Developed by Microsoft and Ecma International  ISO 29500 has not yet been officially published  There exists no implementation of this standard  Security scans probably more elaborate + costly due to  different tags in different document types for same properties (text color and alignment)  6x more voluminous spec., indicates more complexity  No tags for handling macros, also reduces interoperability  More complex standard might reduce number of independent implementations and interoperability  Only few independent implementations to be expected Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 13
  13. 13. Migration in the BSI  In the past few years, BSI has  migrated from Windows to Linux (around 50%)  migrated from Microsoft Exchange to KOLAB Groupware (http://www.kolab.org) with Kontact and Outlook clients  migrated from MS Office to StarOffice (~100%)  About 500 installations of StarOffice  Some installations of MS Office left (stand-alone and TS)  Focus on text-documents as a start  Exchange documents: ODF (and PDF) Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 14
  14. 14. Migration in the BSI Experiences  The more recent the software, the less trouble  Positive:  Packaging and rollout easier with Linux  Bugs can be found easier and fixed faster  Better encryption functionality  Negative (Debian Woody):  Detection of printers  Printing PDF-files  Conversion of most templates after analysing for parts problematic to convert  Migration was supported by training for StarOffice Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 15
  15. 15. Migration: Lessons learned  „Where can I find this feature, where has that button gone?“  „I want to return to Windows!“  „This document looked fine on the other machine!?“  People only accept a few drawbacks  The every-day-scenarios have to work at least 90%  Very important in administration: document templates  Similarity of StarOffice to MS-Office was helpful Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 16
  16. 16. Migration: Lessons learned contd.  Success strongly depends on willingness to engage into new software  Many people care more about (good) applications than document standards → need good implementations of typical workflows for open documents.  Only few severe problems → need more interoperability. Might have read this before: It's not a question of IF, it's a question of HOW! Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 17
  17. 17. Contact Federal Office for Information Security (BSI) Christian Zier Godesberger Allee 185-189 53175 Bonn Tel: +49 (0)228-9582-5946 Fax: +49 (0)228-9582-5400 christian.zier@bsi.bund.de www.bsi.bund.de www.bsi-fuer-buerger.de Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 18

×