Industry Moves to Fill Gap for Building Trusted Supply Chain Technology Accreditation
Industry Moves to Fill Gap for Building Trusted Supply ChainTechnology AccreditationTranscript of a BrieﬁngsDirect podcast from The Open Group Conference on The Open GroupTrusted Technology Forum and setting standards for security and reliability.Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open GroupDana Gardner: Hi. This is Dana Gardner, Principal Analyst at Interarbor Solutions, and yourelistening to BrieﬁngsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. Weve assembled a distinguished panel to update us on The Open Group Trusted Technology Forum, also known as the OTTF, and an accreditation process to help technology acquirers and buyers safely conduct global procurement andsupply chain commerce. [Disclosure: The Open Group is a Sponsor of BrieﬁngsDirect podcasts.]Well examine how the security risk for many companies and organizations has only grown, evenas these companies form essential partnerships and integral supplier relationships. So, how canall the players in a technology ecosystem gain assurances that the other participants are adheringto best practices and taking the proper precautions?Here to help us better understand how established standard best practices and an associatedaccreditation approach can help make supply chains stronger and safer is our panel.Were here with Dave Lounsbury, the Chief Technical Ofﬁcer at The Open Group. Welcomeback, Dave.Dave Lounsbury: Hello Dana. How are you?Gardner: Great. We are also here with Steve Lipner, Senior Director of Security EngineeringStrategy in the Trustworthy Computing Security at Microsoft. Welcome back, Steve.Steve Lipner: Hi, Dana. Glad to be here.Gardner: Were here also with Joshua Brickman, Director of the Federal Certiﬁcation ProgramOfﬁce at CA Technologies. Welcome, Joshua.Joshua Brickman: Thanks for having me.Gardner: And, were here too with Andras Szakal. Hes the Vice President and CTO of IBM’sFederal Software Group. Welcome back, Andras.
Andras Szakal: Thank you very much, Dana. I appreciate it.Gardner: Dave, lets start with you. Weve heard so much lately about "hacktivism," break-ins,and people being compromised. These are some very prominent big companies, both public andprivate. How important is it that we start to engage more with things like the OTTF?No backup planLounsbury: Dana, a great quote coming out of this week’s conference was that we have movedthe entire world’s economy to being dependent on the Internet, without a backup plan. Anyonewho looks at the world economy will see, not only are we dependent on it for exchange of value in many cases, but even information about how our daily lives are run, trafﬁc, health information, and things like that. Its becoming increasingly vitally important that we understand all the aspects of what it means to have trust in the chain of components that deliver that connectivity to us, not just as technologists, but as people who live in the world. Gardner: Steve Lipner, your thoughts on how this problem seems to be only gettingworse?Lipner: Well, the attackers are becoming more determined and more visible across the Internetecosystem. Vendors have stepped up to improve the security of their product offerings, butcustomers are concerned. A lot of what were doing in The Open Group and in the OTTF is abouttrying to give them additional conﬁdence of what vendors are doing, as well as inform vendorswhat they should be doing.Gardner: Joshua Brickman, this is obviously a big topic and a very large and complex area.From your perspective, what is it that the OTTF is good at? What is it focused on? What shouldwe be looking to it for in terms of beneﬁt in this overall security issue?Brickman: One of the things that I really like about this group is that you have all of the leaders,everybody who is important in this space, working together with one common goal. Today, we had a discussion where one of the things we were thinking about is, whether theres a 100 percent fail-safe solution to cyber? And there really isnt. There is just a bar that you can set, and the question is how much do you want to make the attackers spend, before they can get over that bar? What were going to try to do is establish that level, and working together, I feel very encouraged that we are getting there, so far.Gardner: Andras, we are not just trying to set the bar, but were also trying to enforce, or at leasthave clarity into, what other players in an ecosystem are doing. So that accreditation processseems to be essential.
Szakal: Were going to develop a standard, or are in the process of developing a speciﬁcation andultimately an accreditation program, that will validate suppliers and providers against thatstandard. Its focused on building trust into a technology provider organization through this accreditation program, facilitated through either one of several different delivery mechanisms that we are working on. Were looking for this to become a global program, with global partners, as we move forward. Gardner: It seems as if almost anyone is a potential target, and when someone decides to target you, you do seem to suffer. Weve seen things with Booz Allen, RSA, and consumer organizations like Sony. Is this something that almost everyone needs to be more focused on? Are we at the point now where there is nosuch thing as turning back, Dave Lounsbury?Global effortLounsbury: I think there is, and we have talked about this before. Any electronic orinformation system now is really built on components and software that are delivered from allaround the globe. We have software that’s developed in one continent, hardware that’s developedin another, integrated in a third, and used globally. So, we really do need to have the kinds of global standards and engagement that Andras has referred to, so that there is that one bar for all to clear in order to be considered as a provider of trusted components.Gardner: As weve seen, there is a weak link in any chain, and the hackers or the cybercriminals or the state sponsored organizations will look for those weak links. That’s really wherewe need to focus.Lounsbury: I would agree with that. In fact, some of the other outcomes of this week’sconference have been the change in these attacks, from just nuisance attacks, to ones that arefocused on monetization of cyber crimes and exﬁltration of data. So the spectrum of threats isincreasing a lot. More sophisticated attackers are looking for narrower and narrower attackvectors each time. So we really do need to look across the spectrum of how this IT technologygets produced in order to address it.Gardner: Steve Lipner, it certainly seems that the technology supply chain is essential. If thereis weakness there, then its difﬁcult for the people who deploy those technologies to cover theirbases. It seems that focusing on the technology providers, the ecosystems that support them, is areally necessary ﬁrst step to taking this to a larger, either public or private, buyer side value.
Lipner: The tagline we have used for The Open Group TTF is "Build with Integrity, Buy withConﬁdence." We certainly understand that customers want to have conﬁdence in the hardwareand software of the IT products that they buy. We believe that it’s up to the suppliers, workingtogether with other members of the IT community, to identify best practices and then articulate them, so that organizations up and down the supply chain will know what they ought to be doing to ensure that customer conﬁdence. Gardner: Lets take a step back and get a little bit of a sense of where this process that you are all involved with is. I know youre all on working groups and in other ways involved in moving this forward, but its been about six months now since The OTTF was developed initially, and there was a white paper to explain that.Perhaps, one of you will volunteer to give us sort of a state of affairs where things are,. Then,wed also like to hear an update about whats been going on here in Austin. Anyone?Szakal: Well, as the chair, I have the responsibility of keeping track of our milestones, so Ill takethat one.A, we completed the white paper earlier this year, in the ﬁrst quarter. The white paper wasvisionary in nature, and it was obviously designed to help our constituents understand the goalsof the OTTF.However, in order to actually make this a normative speciﬁcation and design a program, aroundwhich you would have conformance and be able to measure suppliers’ conformity to thatspeciﬁcation, we have to develop a speciﬁcation with normative language.First draftWere ﬁnishing that up as we speak and we are going to have a ﬁrst draft here within the nextmonth. Were looking to have that entire speciﬁcation go through company review in the fourthquarter of this year.Simultaneously, well be working on the accreditation policy and conformance criteria andevidence requirements necessary to actually have an accreditation program, while continuing toliaise with other evaluation schemes that are interested in partnering with us. In a globalinternational environment, that’s very important, because there exist more than one of theseregimes that we will have to exist, coexist, and partner with.Over the next year, well have completed the accreditation program and have begun testing of theprocess, probably having to make some adjustments along the way. Were looking at sometimewithin the ﬁrst half of 2012 for having a completed program to begin ramping up.
Gardner: Is there an update on the public sectors, or in the U.S., the federal government’s, rolein this? Are they active? Are they leading? How would you characterize the public role or whereyou would like to see that go?Szakal: The forum itself continues to liaise with the government and all of our constituents. Asyou know, we have several government members that are part of the TTF and they are just asimportant as any of the other members. We continue to provide update to many of thegovernments that we are working with globally to ensure they understand the goals of the TTFand how they can provide value synergistically with what we are doing, as we would to them.Gardner: Ill throw this back out to the panel? How about the activities this week at theconference? What have been the progress or insights that you can point to from that?Brickman: Weve been meeting for the ﬁrst couple of days and we have made tremendousprogress on wrapping up our framework and getting it ready for the ﬁrst review.Weve also been meeting with several government ofﬁcials. I can’t say who they are, but what’sbeen good about it is that theyre very positive on the work that were doing, they support whatwe are doing and want to continue this discussion.It’s very much a partnership, and we do feel like it’s not just an industry-led project, where wehave participation from folks who could very much be the consumers of this initiative.Gardner: Clearly, there are a lot of stakeholders around the world, across both the public andprivate domains.Dave Lounsbury, what’s possible? What would we gain if this is done correctly? How would wetangibly look to improvements? I know that’s hard with security. It’s hard to point out whatdoesn’t happen, which is usually the result of proper planning, but how would you characterizethe value of doing this all correctly say a year or two from now?Awareness of securityLounsbury: One of the trends well see is that people are increasingly going to be makingdecisions about what technology to produce and who to partner with, based on more awarenessof security.A very clear possible outcome is that there will be a set of simple guidelines and ones that can beimplemented by a broad spectrum of vendors, where a consumer can look and say, "These folkshave followed good practices. They have baked secure engineering, secure design, and securesupply chain processes into their thing, and therefore I am more comfortable in dealing withthem as a partner."Of course, what the means is that, not only do you end up with more conﬁdence in your supplychain and the components for getting to that supply chain, but also it takes a little bit of work off
your plate. You don’t have to invest as much in evaluating your vendors, because you can usecommonly available and widely understood sort of best practices.From the vendor perspective, it’s helpful because were already seeing places where a company,like a ﬁnancial services company, will go to a vendor and say, "We need to evaluate you. Here’sour checklist." Of course, the vendor would have to deal with many different checklists in orderto close the business, and this will give them some common starting point.Of course, everybody is going to customize and build on top of what that minimum bar is,depending on what kind of business theyre in. But at least it gives everybody a common startingpoint, a common reference point, some common vocabulary for how they are going to talk abouthow they do those assessments and make those purchasing decisions.Gardner: Steve Lipner, do you think that this is going to ﬁnd its way into a lot of RFPs,beginning a sales process, looking to have a major checkbox around these issues? Is that sort ofhow you see this unfolding?Lipner: If we achieve the sort of success that we are aiming for and anticipating, youll seerequirements for the TTF, not only in RFPs, but also potentially in government policy documentsaround the world, basically aiming to increase the trust of broad collections of products thatcountries and companies use.Gardner: Joshua Brickman, I have to imagine that this is a living type of an activity that younever really ﬁnish. There’s always something new to be done, a type of threat that’s evolving thatneeds to be reacted to. Would the TTF over time take on a larger role? Do you see it expandinginto larger set of requirements, even as it adjusts to the contemporary landscape?Brickman: That’s possible. I think that we are going to try to get something achievable out therein a timeframe that’s useful and see what sticks.One of the things that will happen is that as companies start to go out and test this, as with anyother standard, the 1.0 standard will evolve to something that will become more germane, and asSteve said, will hopefully be adopted worldwide.Agile and usefulIt’s absolutely possible. It could grow. I don’t think anybody wants it to become a behemoth. Wewant it to be agile, useful, and certainly something readable and achievable for companies thatare not multinational billion dollar companies, but also companies that are just out there trying tosell their piece of the pie into the space. That’s ultimately the goal of all of us, to make sure thatthis is a reasonable achievement.Lounsbury: Dana, Id like to expand on what Joshua just said. This is another thing that hascome out of our meetings this week. Weve heard a number of times that governments, of course,
feel the need to protect their infrastructure and their economies, but also have a realization thatbecause of the rapid evolution of technology and the rapid evolution of security threats that it’shard for them to keep up. It’s not really the right vehicle.There really is a strong preference. The U.S. strategy on this is to let industry take the lead. Oneof the reasons for that is the fact that industry can evolve, in fact must evolve, at the pace of thecommercial marketplace. Otherwise, they wouldn’t be in business.So, we really do want to get that ﬁrst stake in the ground and get this working, as Joshua said.But there is some expectation that, over time, the industry will drive the evolution of securitypractices and security policies, like the ones OTTF is developing at the pace of commercialmarket, so that governments won’t have to do that kind of regulation which may not keep up.Gardner: Andras, any thoughts from your perspective on this ability to keep up in terms ofmarket forces? How do you see the dynamic nature of this being able to be proactive instead ofreactive?Szakal: One of our goals is to ensure that the viability of the speciﬁcation itself, the bestpractices, are updated periodically. Were talking about potentially yearly. And to include newtechniques and the application of potentially new technologies to ensure that providers areimplementing the best practices for development engineering, secure engineering, and supplychain integrity.Its going to be very important for us to continue to evolve these best practices over a period oftime and not allow them to fall into a state of static disrepair.Im very enthusiastic, because many of the members are very much in agreement that this issomething that needs to be happening in order to actually raise the bar on the industry, as wemove forward, and help the entire industry adopt the practices and then move forward in ourjourney to secure our critical infrastructure.Gardner: Given that this has the potential of being a fairly rapidly evolving standard that maystart really appearing in RFPs and be impactful for real world business success, how shouldenterprises get involved from the buy side? How should suppliers get involved from the sell side,given that this is seemingly a market driven, private enterprise driven activity?Ill throw this out to the crowd. Whats the responsibility from the buyers and the sellers to keepthis active and to keep themselves up-to-date?Lounsbury: Let me take the ﬁrst stab at this. The reason weve been able to make the progresswe have is that weve got the expertise in security from all of these major corporations andgovernment agencies participating in the TTF. The best way to maintain that currency andmaintain that drive is for people who have a problem, if youre on the buy side or expertise fromeither side, to come in and participate.
Hands-on awarenessYou have got the hands-on awareness of the market, and bringing that in and adding thatknowledge of what is needed to the speciﬁcation and helping move its evolution along isabsolutely the best thing to do.That’s our steady state, and of course the way to get started on that is to go and look at thematerials. The white paper is out there. I expect we will be doing snapshots of early versions ofthis that would be available, so people can take a look at those. Or, come to an Open GroupConference and learn about what we are doing.Gardner: Anyone else have a reaction to that? Im curious. Given that we are looking to theprivate sector and market forces to be the drivers of this, will they also be the drivers in terms ofenforcement? Is this voluntary? One would hope that market forces reward those who seekaccreditation and demonstrate adhesion to the standard, and that those who dont would suffer. Oris there a potential for more teeth and more enforcement? Again, Ill throw this out to the panel atlarge.Szakal: As vendors, wed would like to see minimal regulation and thats simply the nature of thebeast. In order for us to conduct our business and lower the cost of market entry, I think thatsimportant.I think its important that we provide leadership within the industry to ensure that were followingthe best practices to ensure the integrity of the products that we provide. Its through that industryleadership that we will avoid potential damaging regulations across different regionalenvironments.We certainly wouldnt want to see different regulations pop-up in different places globally. Itmakes for very messy technology insertion opportunity for us. Were hoping that by actuallygetting engaged and providing some self-regulation, we wont see additional government orinternational regulation.Lipner: One of the things that my experience has taught me is that customers are very awarethese days of security, product integrity, and the importance of suppliers paying attention to thoseissues. Having a robust program like the TTF and the certiﬁcations that it envisions will givecustomers conﬁdence, and they will pay attention to that. That will change their behavior in themarket even without formal regulations.Gardner: Joshua Brickman, any thoughts on the self-regulation beneﬁts? If that doesn’t work, isit self-correcting? Is there a natural approach that if this doesn’t work at ﬁrst, that a couple ofhighly publicized incidents and corporations that suffer for not regulating themselves properly,would ride that ship, so to speak?
Brickman: First of all, industry setting the standard is an idea that has been thrown around awhile, and I think that its great to see us ﬁnally doing it in this area, because we know our stuffthe best.But as far as an incident indicating that its not working, I don’t think so. Were going to try to setup a standard, whereby were providing public information about what our products do and whatwe do as far as best practices. At the end of the day the acquiring agency, or whatever, is going tohave to make decisions, and theyre going to make intelligent decisions, based upon looking atfolks that choose to go through this and folks that choose not to go through it.It will continueThe bad news that continues to come out is going to continue to happen. The only thing thattheyll be able to do is to look to the companies that are the experts in this to try to help themwith that, and they are going to get some of that with the companies that go through theseevaluations. Theres no question about it.At the end of the day, this accreditation program is going to shake out the products andcompanies that really do follow best practices for secure engineering and supply chain bestpractices.Gardner: What should we expect next? As we heard, there has been a lot of activity here inAustin at the conference. Weve got that white paper. Were working towards more maturedeﬁnitions and approaching certiﬁcation and accreditation types of activities. Whats next? Whatmilestone should we look to? Andras, this is for you.Szakal: Around November, were going to be going through company review of the speciﬁcationand well be publishing that in the fourth quarter.Well also be liaising with our government and international partners during that time and wellalso be looking forward to several upcoming conferences within The Open Group where weconduct those activities. Were going to solicit some of our partners to be speaking during thoseevents on our behalf.As we move into 2012, well be working on the accreditation program, speciﬁcally theconformance criteria and the accreditation policy, and liaising again with some of ourinternational partners on this particular issue. Hopefully we will, if all things go well andaccording to plan, come out of 2012 with a viable program.Gardner: Dave Lounsbury, any further thoughts about next steps, what people should belooking for, or even where they should go for more information?Lounsbury: Andras has covered it well. Of course, you can always learn more by going towww.opengroup.org and looking on our website for information about the OTTF. You can ﬁnd
drafts of all the documents that have been made public so far, and there will be our white paperand, of course, more information about how to become involved.Gardner: Very good. Weve been getting an update about The Open Group Trusted TechnologyForum, OTTF, and seeing how this can have a major impact from a private sector perspectiveand perhaps head off issues about lack of trust and lack of clarity in a complex evolvingtechnology ecosystem environment.Id like to thank our guests. Weve been joined by Dave Lounsbury, Chief Technical Ofﬁcer atThe Open Group. Thank you, sir.Lounsbury: Thank you, Dana.Gardner: Steve Lipner, the Senior Director of Security Engineering Strategy in the TrustworthyComputing Security Group at Microsoft. Thank you, Steve.Lipner: Thanks, Dana.Gardner: Joshua Brickman, who is the Director of the Federal Certiﬁcation Program Ofﬁce inCA Technologies, has also joined us. Thank you.Brickman: I enjoyed it very much.Gardner: And Andras Szakal, Vice President and CTO of IBM’s Federal Software Group.Thank you, sir.Szakal: Its my pleasure. Thank you very much, Dana.Gardner: This discussion has come to you as a sponsored podcast in conjunction with The OpenGroup Conference in Austin, Texas. We are here the week of July 18, 2011. I want to thank ourlisteners as well.This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back nexttime.Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open GroupTranscript of a BrieﬁngsDirect podcast from The Open Group Conference on The Open GroupTrusted Technology Forum and setting standards for security and reliability. CopyrightInterarbor Solutions, LLC, 2005-2011. All rights reserved.
You may also be interested in: • Enterprise Architects Increasingly Leverage Advanced TOGAF9 for Innovation, Market Response, and Governance Beneﬁts • Open Group Cloud Panel Forecasts Cloud s Spurring Useful Transition Phase for Enterprise Architecture • The Open Groups Cloud Work Group Advances Understanding of Cloud-Use Beneﬁts for Enterprises • Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure IT Products in Global Supply Chains