Standards Effort Points to Automation Via Common Markup Language for Improved IT Compliance, Security
Standards Effort Points to Automation Via Common MarkupLanguage for Improved IT Compliance, SecurityTranscript of a BrieﬁngsDirect podcast from The Open Group Conference on the new OpenAutomated Compliance Expert Markup Language and how it can save companies time andmoney.Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open GroupDana Gardner: Hi. This is Dana Gardner, Principal Analyst at Interarbor Solutions, and yourelistening to BrieﬁngsDirect.Today, we present a sponsored podcast discussion in conjunction with The Open GroupConference in Austin, Texas, the week of July 18, 2011. We’re going to examine the Open Automated Compliance Expert Markup Language (O-ACEML), a new standard creation and effort that helps enterprises automate security compliance across their systems in a consistent and cost-saving manner. O-ACEML helps to achieve compliance with applicable regulations but also achieves major cost savings. From the compliance audit viewpoint, auditorscan carry out similarly consistent and more capable audits in less time.Here to help us understand O-ACEML and managing automated security compliance issues andhow the standard is evolving are our guests. We’re here with Jim Hietala, Vice President ofSecurity at The Open Group. Welcome back, Jim.Jim Hietala: Thanks, Dana. Glad to be with you.Gardner: We’re also here with Shawn Mullen. Hes a Power Software Security Architect atIBM. Welcome to the show, Shawn.Shawn Mullen: Thank you.Gardner: Let’s start by looking at why this is an issue. Why do O-ACEML at all? I assume thatsecurity being such a hot topic, as well as ways in which organizations grapple with theregulations, and compliance issues are also very hot, this has now become an issue that needssome standardization.Let me throw this out to both of you. Why are we doing this at all and what are the problems thatwe need to solve with O-ACEML?
Hietala: One of the things youve seen in last 10 or12 years, since the compliance regulationshave really come to the fore, is that the more regulation there is, more speciﬁc requirements are put down, and the more challenging it is for organizations to manage. Their IT infrastructure needs to be in compliance with whatever regulations impact them, and the cost of doing so becomes a signiﬁcant thing. So, anything that could be done to help automate, to drive out cost, and maybe make organizations more effective in complying with the regulations that affect them -- whether it’s PCI, HIPAA, or whatever -- theres lot of beneﬁt to large IT organizations in doing that. That’s really what drove us to look at adopting a standard in this area.Gardner: Jim, just for those folks who are coming in as fresh, are we talking about IT securityequipment and the compliance around that, or is it about the process of how you do security, orboth? What are the boundaries around this effort and what it focuses on?Manual processHietala: It’s both. It’s enabling the compliance of IT devices speciﬁcally around securityconstraints and the security conﬁguration settings and to some extent, the process. If you look athow people did compliance or managed to compliance without a standard like this, withoutautomation, it tended to be a manual process of setting conﬁguration settings and auditorsmanually checking on settings. O-ACEML goes to the heart of trying to automate that processand drive some cost out of an equation.Gardner: Shawn Mullen, how do you see this in terms of the need? What are the trends orenvironment that necessitate in this?Mullen: I agree with Jim. This has been going on a while, and we’re seeing it on both classes ofcustomers. On the high-end, we would go from customer-to-customer and they would have their own hardening scripts, their own view of what should be hardened. It may conﬂict with what compliance organization wanted as far as the settings. This was a standard way of taking what the compliance organization wanted, and also it has an easy way to author it, to change it. If your own corporate security requirements are more stringent, you can easily change the ACEML conﬁguration, so that is satisﬁes your more stringent corporate compliance or security policy, as well as satisfying the regulatory compliance organization in an easy way to monitor it, to report, and see it.In addition, on the low end, the small businesses don’t have the expertise to know how toconﬁgure their systems. Quite frankly, they don’t want to be security experts. Here is an easyway to print an XML ﬁle to harden their systems as it needs to be hardened to meet complianceor just the regular good security practices.
Gardner: One of the things thats jumped out at me as I’ve looked into this, is the rapidimprovement in terms of a cost or return on investment (ROI), almost to the league of a no-brainer category. Help me understand why is it so expensive and inefﬁcient now, when it comesto security equipment audits and regulatory compliance. What might this then therefore bring interms of improvement?Mullen: One of the things that were seeing in the industry is server consolidation. If you havethese hundreds, or in large organizations thousands, of systems and you have to manuallyconﬁgure them, it becomes a very daunting task. Because of that, its a one-time shot at doingthis, and then the monitoring is even more difﬁcult. With ACEML, its a way of authoring your security policy as it meets compliance or for your own security policy in pushing that out. This allows you to have a single XML and push it onto heterogeneous platforms. Everything is conﬁgured securely andconsistently and it gives you a very easy way to get the tooling to monitor those systems, so theyare conﬁgured correctly today. Youre checking them weekly or daily to ensure that they remainin that desired state.Gardner: So its important not only to automate, but be inclusive and comprehensive in the wayyou do that or you are back to manual process at least for a signiﬁcant portion, but that mightthen not be at your compliance issues. Is that how it works?Mullen: We had a very interesting presentation here at The Open Group Conference yesterday.I’ll let Jim provide some of the details on that, but customers are ﬁnding the best way they canlower their compliance or their cost of meeting compliance is through automation. If you canautomate any part of that compliance process, that’s going to save you time and money. If youcan get rid of the manual effort with automation, it greatly reduces your cost.Gardner: Shawn, do we have any sense in the market what the current costs are, even forsomething that was as well-known as Sarbanes-Oxley? How impressive, or unfortunatelyintimidating, are some of these costs?Cost of complianceMullen: There was a very good study yesterday. The average cost of an organization to becompliant is $3 million. Thats annual cost. What was also interesting was that the cost of beingnon-compliant, as they called it, was $9 million.Hietala: The ﬁgures that Shawn was referencing come out of the study by the Ponemon Institute.Larry Ponemon does lots of studies around security risk compliance cost. He authors an annualdata breach study thats pretty widely quoted in the security industry that gets to the cost of databreaches on average for companies.
In the numbers that were presented yesterday, he recently studied 46 very large companies,looking at their cost to be in compliance with the relevant regulations. Its like $3.5 million ayear, and over $9 million for companies that werent compliant, which suggests that companiesthat are actually actively managing towards compliance are probably little more efﬁcient thanthose that arent.What O-ACEML has the opportunity to do for those companies that are in compliance is helpdrive that $3.5 million down to something much less than that by automating and taking manuallabor out of process.Gardner: So its a seemingly very worthwhile effort. How do we get to where we are now, Jim,with the standard and where do we need to go? Whats the level of maturity with this?Hietala: Its relatively new. It was just published 60 days ago by The Open Group. The actualspeciﬁcation is on The Open Group website. Its downloadable, and we would encourage both,system vendors and platform vendors, as well as folks in the security management space ormaybe the IT-GRC space, to check it out, take a look at it, and think about adopting it as a way toexchange compliance conﬁguration information with platforms.We want to encourage adoption by as broad a set of vendors as we can, and we think that havingmore adoption by the industry, will help make this more available so that end-users can takeadvantage of it.Gardner: Back to you Shawn. Now that weve determined that were in the process of creatingthis, perhaps, you could set the stage for how it works. What takes place with ACEML? Peopleare familiar with markup languages, but how does this now come to bear on this problem aroundcompliance, automation, and security?Mullen: Lets take a single rule, and well use a simple case like the minimum password length.In PCI the minimum password length, for example, is seven. Sarbanes-Oxley, which relies onCOBiT password length would be eight.But with an O-ACEML XML, its very easy to author a rule, and there are three segments to it.The ﬁrst segment is, its very human understandable, where you would put something like"password length equals seven." You can add a descriptive text with it, and thats all you have toauthor.Actionable commandWhen that is pushed down on to the platform or the system thats O-ACEML aware, its able totake that simple ACEML word or directive and map that into an actionable command relevant tothat system. When it ﬁnds the map into the actionable command ,it writes it back into the XML.So thats completing the second phase of the rule. It executes that command either to implementthe setting or to check the setting.
The result of the command is then written back into the XML. So now the XML for particularrule has the ﬁrst part, the authored high-level directive as a compliance organization, how thatparticular system mapped into a command, and the result of executing that command either in asetting or checking format.Now we have all of the artifacts we need to ensure that the system is conﬁgured correctly, and togenerate audit reports. So when the auditor comes in we can say, "This is exactly how anyparticular system is conﬁgured and we know it to be consistent, because we can point to anyparticular system, get the O-ACEML XML and see all the artifacts and generate reports fromthat."Gardner: Maybe to give a sense of how this works, we can also look at a before-and-afterscenario. Maybe you could describe how things are done now, the before or current statusapproach or standard operating procedure, and then what would be the case after someone wouldimplement and mature O-ACEML implementation.Mullen: There are similar tools to this, but they dont all operate exactly the same way. Ill use anexample of BigFix. If I had a particular system, they would offer a way for you to write yourown scripts. You would basically be doing what you would do at the end point, but you would bedoing it at the BigFix central console. You would write scripts to do the checking. You would bedoing all of this work for each of your different platforms, because everyone is a little bitdifferent.Then you could use BigFix to push the scripts down. They would run, and hopefully you wroteyour scripts correctly. You would get results back. What we want to do with ACEML is whenyou just put the high-level directive down to the system, it understands ACEML and it knows theproper way to do the checking.Whats interesting about ACEML, and this is one of our differences from, for example, thesecurity content automation protocol (SCAP), is that instead of the vendor saying, "This is howwe do it. It has a repository of how the checking goes and everything like that," you let the endpoint make the determination. The end point is aware of what OS it is and its aware of whatversion it is.For example, with IBM UNIX, which is AIX, you would say "password check at this differentlevel." Weve increased our password strength, weve done a lot of security enhancements aroundthat. If you push the ACEML to a newer level of AIX, it would do the checking slightlydifferently. So, it really relies on the platform, the device itself, to understand ACEML andunderstand how best to do its checking.We see with small businesses and even some of the larger corporations that theyre maintainingtheir own scripts. Theyre doing everything manually. Theyre logging on to a system and runningsome of those scripts. Or, theyre not running scripts at all, but are manually making all of thesesettings.
Its an extremely long and burdensome process,when you start considering that there arehundreds of thousands of these systems. There are different OSs. You have to ﬁnd experts foryour Linux systems or your HP-UX or AIX. You have to have all those different talents andskills in these different areas, and again the process is quite lengthy.Gardner: Jim Hietala, it sounds like we are focusing on servers to begin with, but I imagine thatthis could be extended to network devices, other endpoints, other infrastructure. Whats thepotential universe of applicability here?Different classesHietala: The way to think about it is the universe of IT devices that are in scope for thesevarious compliance regulations. If you think about PCI DSS, it deﬁnes pretty tightly what yourcardholder data environment consists of. In terms of O-ACEML, it could be networking devices,servers, storage equipment, or any sort of IT device. Broadly speaking, it could apply to lots ofdifferent classes of computing devices.Gardner: Back to you Shawn,. You mentioned the AIX environment. Could you explain abeginning approach that you’ve had with IBM Compliance Expert, or ICE, that might give us aclue as to how well this could work, when applied even more broadly? How does that heritage inICE develop, and what would that tell us about what we could expect with O-ACEML?Mullen: We’ve had ICE and this AIX Compliance Expert, using the XML, for a number of yearsnow. Its been broadly used by a lot of our customers, not only to secure AIX but to secure thevirtualization environment in a particular a virtual I/O server. So we use it for that.One of the things that ACEML brings is that it has some of the lessons we learned from doingour own proprietary XML. It also brings some lessons we learned when looking at other XMLfor compliance like XCCDF. One of the things we put in there was a remediation element.For example, the PCI says that your password length should be seven. COBiT says yourpassword length should be eight. It has the XML, so you can blend multiple compliancerequirements with a single policy, choosing the more secure setting, so that both complianceorganizations, or other three compliance organizations, gets set properly to meet all of those, andapply it to a singular system.One of the things that were hoping vendors will gravitate toward is the ability to have a centralconsole controlling their IT environment or conﬁguring and monitoring their IT environment. Itjust has to push out a single XML ﬁle. It doesn’t have to push out a special XML for Linuxversus AIX versus a network device. It can push out that ACEML ﬁle to all of the devices. Its asingular descriptive XML, and each device, in turn, knows how to map it to its own particularplatform in security conﬁguring.
Gardner: Jim Hietala, it sounds as if the low-hanging fruit here would be the compliance andautomation beneﬁt, but it also sounds as if this is comprehensive. Its targeted at a very large setof the devices and equipment in the IT infrastructure. This could become a way of propagatingnew security policies, protocols, approaches, even standards, down the line. Is that part of thevision here -- to be able to offer a means by which an automated propagation of future securitychanges could easily take place?Hietala: Absolutely, and it goes beyond just the compliance regulations that are inﬂicted on us orput on us by government organizations to deﬁning a best practice instead of security policies inthe organization. Then, using this as a mechanism to push those out to your environment and toensure that they are being followed and implemented on all the devices in their IT environment.So, it deﬁnitely goes beyond just managing compliance to these external regulations, but to doinga better job of implementing the ideal security conﬁguration settings across your environment.Gardner: And because this is being done in an open environment like The Open Group, andbecause its inclusive of any folks or vendors or suppliers who want to take part, it sounds as ifthis could also cross the chasm between an enterprise, IT set, and a consumer or mobile orexternal third-party provider set.Is it also a possibility that we’re going beyond heterogeneity, when it comes to differentplatforms, but perhaps crossing boundaries into different segments of IT and what were seeingwith the “consumerization” of IT now? Ill ask this to either of you or both of you.Moving to the cloudHietala: Ill make a quick comment and then turn it over to Shawn. Deﬁnitely, if you thinkabout how this sort of a standard might apply towards services that are built in somebody’scloud, you could see using this as a way to both set conﬁguration settings and check on the statusof conﬁguration settings and instances of machines that are running in a cloud environment.Shawn, maybe you want to expand on that?Mullen: Its interesting that you brought this up, because this is the exact conversation we hadearlier today in one of the plenary sessions. They were talking about moving your IT out into thecloud. One of the issues, aside from just the security, was how do you prove that you are meetingthese compliance requirements?ACEML is a way to reach into the cloud to ﬁnd your particular system and bring back a reportthat you can present to your auditor. Even though you don’t own the system --its not in the datacenter here in the next ofﬁce, its off in the cloud somewhere -- you can bring back all theartifacts necessary to prove to the auditor that you are meeting the regulatory requirements.Gardner: Jim, how do folks take further steps to either gather more information? Obviously, thiswould probably of interest to enterprises as well as the suppliers, vendors for professional
services organizations. What are the next steps? Where can they go to get some information?What should they do to become involved?Hietala: The standard speciﬁcation is up on our website. You can go to the "Publications" tab onour website, and do a search for O-ACEML, and you should ﬁnd the actual technical standarddocument. Then, you can get involved directly in the security forum by joining The OpenGroup . As the standard evolves, and as we do more with it, we certainly want more membersinvolved in helping to guide the progress of it over time.Gardner: Thoughts from you, Shawn, on that same getting involved question?Mullen: That’s a perfect way to start. We do want to invite different compliance organization,everybody from the electrical power grid -- they have their own view of security -- to ISO, topayment card industry. For the electrical power grid standard, for example -- and ISO is the sameway -- what ACEML helps them with is they don’t need to understand how Linux does it, howAIX does it. They don’t need to have that deep understanding.In fact, the way ISO describes it in their PDF around password settings, it basically says, usegood password settings, and it doesn’t go into any depth beyond that. The way we architectedand designed O-ACEML is that you can just say, "I want good password settings," and it willdefault to what we decided. What we focused in on collectively as an international standard inThe Open Group was, that good password hygiene means you change your password every sixmonths. It should at least carry this many characters, there should be a non-alpha/numeric.It removes the burden of these different compliance groups from being security experts and itlet’s them just use ACEML and the default settings that The Open Group came up with.We want to reach out to those groups and show them the beneﬁts of publishing some of theirsecurity standards in O-ACEML. Beyond that, well work with them to have that standard up,and hopefully they can publish it on their website, or maybe we can publish it on The OpenGroup website.Next milestonesGardner: Well, great. We’ve been learning more about the Open Automated ComplianceExpert Markup Language, more commonly known as O-ACEML. And we’ve been seeing how itcan help assure compliance along with some applicable regulations across different types ofequipment, but has the opportunity to perhaps provide more security across different domains, bethat cloud or on-premises or even partner networks. while also achieving major cost savings.We’ve been learning how to get to started on this and what the maturity timeline is.Jim Hietala, what would be the next milestone? What should people expect next in terms of howthis is being rolled out?
Hietala: Youll see more from us in terms of adoption of the standard. We’re looking already atcase studies and so forth to really describe in terms that everyone can understand what beneﬁtsorganizations are seeing from using O-ACEML. Given the environment we’re in today, we’reseeing about security breaches and hacktivism and so forth everyday in the newspapers.I think we can expect to see more regulation and more frequent revisions of regulations andstandards affecting IT organizations and their security, which really makes it imperative forengineers in IT environment in such a way that you can accommodate those changes, as they arebrought to your organization, do so in an effective way, and at the least cost. Those are really thekinds of things that O-ACEML has targeted, and I think there is a lot of beneﬁt to organizationsto using it.Gardner: Shawn, one more question to you as a follow-up to what Jim said, not only that shouldwe expect more regulations, but we’ll see them coming from different governments, differentstrata of governments, so state, local, federal perhaps. For multinational organization, this couldbe a very complex undertaking, so Im curious as to whether O-ACEML could also help when itcomes to managing multiple regulations across multiple jurisdictions for larger organizations.Mullen: That was the goal when we came up with O-ACEML. Anybody could author it, andagain, if a single system fell under the purview of multiple compliance requirements, we couldplan that together and that system would be a multiple one.It’s an international standard, we want it to be used by multiple compliance organizations. Andcompliance is a good thing. It’s just good IT governance. It will save companies money in thelong run, as we saw with these statistics. The goal is to lower the cost of being compliant, so youget good IT governance, just with a lower cost.Gardner: Thanks. This sponsored podcast is coming to you in conjunction with The OpenGroup Conference in Austin, Texas, in the week of July 18, 2011. Thanks to both our guests. JimHietala, the Vice President of Security at The Open Group. Thank you, Jim.Hietala: Thank you, Dana.Gardner: And also Shawn Mullen, Power Software Security Architect at IBM. Thank you,Shawn.Mullen: Thank you, Dana.Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again forlistening, and come back next time.Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open GroupTranscript of a BrieﬁngsDirect podcast from The Open Group Conference on the new OpenAutomated Compliance Expert Markup Language and how it can save companies time andmoney. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.
You man also be interested in: • Enterprise Architects Increasingly Leverage Advanced TOGAF9 for Innovation, Market Response, and Governance Beneﬁts • Open Group Cloud Panel Forecasts Cloud s Spurring Useful Transition Phase for Enterprise Architecture • The Open Groups Cloud Work Group Advances Understanding of Cloud-Use Beneﬁts for Enterprises • Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure IT Products in Global Supply Chains