Exploring the Role and Impact of the Trusted Technology Forum
Exploring the Role and Impact of the Trusted TechnologyForumTranscript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conferenceon the new Open Trusted Technology Forum and its impact on business and government.Listen to the podcast. Find it oniTunes/iPod and Podcast.com. Download the transcript. Sponsor:The Open GroupDana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and youre listening to BrieﬁngsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Diego, the week of February 7, 2011. Weve assembled a panel to examine The Open Group’s new Open Trusted Technology Forum (OTTF), which was established in December. open The forum is tasked with ﬁnding ways to better conduct global procurementand supply-chain commerce among and between technology acquirers and buyers and across theecosystem of technology providers. By providing transparency, collaboration, innovation, andmore trust on the partners and market participants in the IT environment, the OTTF will lead toimproved business risk for global supply activities in the IT ﬁeld.Well examine how the OTTF will function, what its new framework will be charged withproviding, and we will examine ways that participants in the global IT commerce ecosystem canbecome involved with and perhaps use the OTTF’s work to its advantage.Here with us to delve into the mandate and impact of the Trusted Technology Forum, were herewith Dave Lounsbury. He is the Chief Technology Ofﬁcer for The Open Group. Welcome, Dave.Dave Lounsbury: Hi, Dana. How are you?Gardner: Im great. Were also here with Steve Lipner, the Senior Director of SecurityEngineering Strategy in Microsoft’s Trustworthy Computing Group. Welcome, Steve.Steve Lipner: Hi, Dana. Glad to be here.Gardner: And, were also here with Andras Szakal, the Chief Architect in IBM’s FederalSoftware Group and an IBM distinguished engineer. Welcome.Andras Szakal: Welcome. Thanks for having me.Gardner: Were also here with Carrie Gates, Vice President and Research Staff Member at CALabs. Welcome.
Carrie Gates: Thank you.Gardner: Let’s start with you, Dave. Tell us in a nutshell what the OTTF is and why it cameabout?Lounsbury: The OTTF is a group that came together under the umbrella of The Open Group toidentify and develop standards and best practices for trusting supply chain. Its about how oneconsumer in a supply chain could trust their partners and how they will be able to indicate theiruse of best practices in the market, so that people who are buying from the supply chain orbuying from a speciﬁc vendor will be able to know that they can procure this with a high level ofconﬁdence.Gardner: Clearly, people have been buying these sorts of products for some time. What’s new?What’s changed that makes this necessary?Concerns by DoDLounsbury: There are a couple of dimensions on it, and I will start this off because the other folks in the room are far more expert in this than I am. This actually started a while ago at The Open Group by a question from the U.S. Department of Defense (DoD), which faced the challenge of buying commercial off-the-shelf product. Obviously, they wanted to take advantage of the economies of scale and the pace of technology in the commercial supply chain, but realized that means theyre not going to get purpose-built equipment, that they are going to buy things from a global supply chain. They asked, "What would we look for in these things that we are buying to knowthat people have used good engineering practices and good supply chain management practices?Do they have a good software development methodology? What would be those indicators?"Now, that was a question from the DoD, but everybody is on somebody’s supply chain. Peoplebuy components. The big vendors buy components from smaller vendors. Integrators bringmultiple systems together.So, this is a really broad question in the industry. Because of that, we felt the best way to addressthis was bring together a broad spectrum of industry to come in, identify the practices that theyhave been using -- your real, practical experience -- and bring that together within a frameworkto create a standard for how we would do that.Gardner: And this is designed with that word "open" being important to being inclusive. This isabout a level playing ﬁeld, but not necessarily any sort of exclusionary affair.
Lounsbury: Absolutely. Not only is the objective of all The Open Group activities to produce open standards and conformance programs that are available to everyone, but in this case, because we are dealing with a global supply chain, we know that we are going to have not only vendors at all scales, but also vendors from all around the world.If you pick up any piece of technology, it will be designed in the USA, assembled in Mexico, andbuilt in China. So we need that international and global dimension in production of this set ofstandards as well.Gardner: Andras, youve been involved with this quite a bit. For the ediﬁcation of our listeners,is this mostly software were talking about? Is it certain components? Can we really put a beadon what will be the majority of technologies that would probably be affected?Szakal: That’s a great question, Dana. Id like to provide a little background. In today’senvironment, were seeing a bit of a paradigm shift. Were seeing technology move out of thetraditional enterprise infrastructure. Were seeing these very complex value chains be created.Were seeing cloud computing.Smarter infrastructuresWere actually working to create smarter infrastructures that are becoming more intelligent, automated, and instrumented, and they are very much becoming open-loop systems. Traditionally, they were closed loop systems, in other words, closed environments, for example, the energy and utility (E&U) industry, the transportation industry, and the health-care industry. As technology becomes more pervasive and gets integrated into these environments, into the critical infrastructure, we have to consider whether they are vulnerable and how the components that have gone into these solutions are trustworthy.Governments worldwide are asking that question. Theyre worried about critical infrastructureand the risk of using commercial, off-the-shelf technology -- software and hardware -- in amyriad of ways, as it gets integrated into these more complex solutions.That’s part of the worry internationally from a government and policy perspective, and part ofour focus here is to help our constituents, government customers and critical infrastructurecustomers, understand how the commercial technology manufacturers, the software developmentmanufactures, go about engineering and managing their supply chain integrity.Gardner: I got the impression somehow, listening to some of the presentations here at theConference, that this was mostly about software. Maybe at the start, would that be the case?
Szakal: No, it’s about all types of technology. Software obviously is a particularly importantfocus, because it’s at the center of most technology anyway. Even if youre developing a chip, achip has some sort of ﬁrmware, which is ultimately software. So that perception is valid to acertain extent, but no, not just software, hardware as well.Gardner: Steve, I heard also the concept of "build with integrity," as applied to the OTTF. Whatdoes that mean, build with integrity?Lipner: Build with integrity really means that the developer who is building a technology product, whether it be hardware or software, applies best practices and understood techniques to prevent the inclusion of security problems, holes, bugs, in the product -- whether those problems arise from some malicious act in the supply chain or whether they arise from inadvertent errors. With the complexity of modern software, it’s likely that security vulnerabilities can creep in. So, what build with integrity really means is that the developer applies best practices to reduce the likelihood of security problems arising, as much ascommercially feasible.And not only that, but any given supplier has processes for convincing himself that upstreamsuppliers, component suppliers, and people or organizations that he relies on, do the same, sothat ultimately he delivers as secure a product as possible.Gardner: Carrie, one of the precepts of good commerce is a lack of friction between borders,where more markets can become involved, where the highest quality at the lowest cost types ofeffects can take place. This notion of trust, when applied to IT resources and assets, seems to beimportant to try to keep this a global market and to allow for the efﬁciencies that are inherent inan open market to take place. How do you see this as a borderless technology ecosystem? Howdoes this help?International trustGates: This helps tremendously in improving trust internationally. Were looking at developing a framework that can be applied regardless of which country youre coming from. So, it is not a US-centric framework that well be using and adhering to. Were looking for a framework so that each country, regardless of its government, regardless of the consumers within that country, all of them have conﬁdence in what it is that were building, that were building with integrity, that we are concerned about both, as Steve mentioned, malicious acts or inadvertent errors.
And each country has its own bad guy, and so by adhering to international standard we can saywere looking for bad guys for every country and ensuring that what we provide is the bestpossible software.Gardner: Lets look a little bit at how this is going to shape up as a process. Dave, lets explainthe idea of The Open Group being involved as a steward. What is The Open Groups role in this?Lounsbury: The Open Group provides the framework under which both buyers and suppliers atany scale could come together to solve a common problem -- in this case, the question ofproviding trusted technology best practices and standards. We operate a set of proven processesthat ensure that everyone has a voice and that all these standards go forward in an orderlymanner.We provide infrastructure for doing that in the meetings and things like that. The third leg is thatThe Open Group operates industry-based conformance programs, the certiﬁcation programs, thatallow someone who is not a member to come in and indicate their conformance standard andgive evidence that theyre using the best practices there.Gardner: Thats important. I think there is a milestone set that you were involved with. Youvecreated the forum. Youve done some gathering of information. Now, youve come out right hereat this conference with the framework, with the ﬁrst step towards a framework, that could beaccepted across the community. There is also a white paper that explains how thats all going towork. But, eventually, youre going to get to an accreditation capability. What does that mean? Isthat a stamp of approval?Lounsbury: Let me back up just a little bit. The white paper actually lays out the framework.The work of forum is to turn that framework into an Open Group standard and populate it. Thatwill provide the standards and best practice foundation for this conformance program.Were just getting started on the vision for a conformance program. One of the challenges here isthat ﬁrst, not only do we have to come up with the standard and then come up with the criteria bywhich people would submit evidence, but you also have to deal with the problem of scale.If we really want to address this problem of global supply chains, were talking about a very largenumber of companies around the world. It’s a part of the challenge that the forum faces.Accrediting vendorsPart of the work that they’ve embarked on is, in fact, to ﬁgure out how we wouldnt necessarilydo that kind of conformance one on one, but how we would accredit either vendors themselveswho have their own duty of quality processes as a big vendor would or third parties who can doassessments and then help provide the evidence for that conformance.
Were getting ahead of ourselves here, but there would be a certiﬁcation authority that wouldverify that all the evidence is correct and grant some certiﬁcate that says that they have met someor all of the standards.Szakal: Our vision is that we want to leverage some of the capability thats already out there.Most of us go through common criteria evaluations and that is actually listed as a best practicefor a validating security function and products.Where we are focused, from an accreditation point of view, affects more than just securityproducts. Thats important to know. However, we deﬁnitely believe that the community ofassessment labs that exists out there that already conducts security evaluations, whether they becountry-speciﬁc or that they be common criteria, needs to be leveraged. Well endeavor to do thatand integrate them into both the membership and the thinking of the accreditation process.Gardner: Thank you, Andras. Now, for a company that is facing some hurdles -- and we heardsome questions in our sessions earlier about: "What do I have to do? Is this going to be hard foran SMB? -- the upside could be pretty signiﬁcant. If youre a company and you do get thataccreditation, youre going to have some business value. Steve Lipner, what from yourperspective is the business rationale for these players to go about this accreditation to get this sortof certiﬁcation?Lipner: To the extent that the process is successful, why then customers will really value thecertiﬁcation? And will that open markets or create preferences in markets for organizations thathave sought and achieved the certiﬁcation?Obviously, there will be effort involved in achieving the certiﬁcation, but that will be related toreal value, more trust, more security, and the ability of customers to buy with conﬁdence.The challenge that well face as a forum going forward is to make the processes deterministic andcost-effective. I can understand what I have to do. I can understand what it will cost me. I wontget surprised in the certiﬁcation process and I can understand that value equation. Heres whatIm going to have to do and then here are the markets and the customer sets, and the supplychains its going to open up to me.Gardner: So, we understand that there is this effort afoot that the idea is to create more trust anda set of practices in place, so that everyone understands that certain criteria have been met andvulnerabilities have been reduced. And, we understand that this is going to be community effortand youre going to try to be inclusive.What Im now curious about is what is it this actually consists of -- a list of best practices,technology suggestions? Are there certain tests and requirements that are already in place thatone would have to tick off? Let me take that to you, Carrie, and well go around the panel. Howdo you actually assure that this is safe stuff?
Different metricsGates: If you refer to our white paper, we start to address that there. We were looking at anumber of different metrics across the board. For example, what do you have for documentationpractices? Do you do code reviews? There are a number of different best practices that arealready in the ﬁeld that people are using. Anyone who wants to be a certiﬁed, can go and look atthis document and say, "Yes, we are following these best practices" or "No, we are missing this.Is it something that we really need to add? What kind of beneﬁt it will provide to us beyond thecertiﬁcation?"Gardner: Dave, anything to add as to how a company would go about this? What are some ofthe main building blocks to a low-vulnerability technology creation and distribution process?Lounsbury: Again, I refer everybody to the white paper, which is available on The Open Groupwebsite. Youll see there in the categories that weve divided these kinds of best practice into fourbroad categories: product engineering and development methods, secure engineeringdevelopment methods, supply chain integrity methods and the product evaluation methods.Under there those are the categories, well be looking at the attributes that are necessary to eachof those categories and then identifying the underlying standards or bits of evidence, so peoplecan submit to indicate their conformance.I want to underscore this point about the question of the cost to a vendor. Steve said it very well.The objective here is to raise best practices across the industry and make the best practicecommonplace. One of the great things about an industry-based conformance program is that itgives you the opportunity to take the standards and those categories that weve talked about asthey are developed by OTTF and incorporate those in your engineering and developmentprocesses.So youre baking in the quality as you go along, and not trying to have an expensive thing goingon at the end.Gardner: Andras, IBM is perhaps one of the largest providers to governments and defenseagencies when it comes to IT and certainly, at the center of a large ecosystem around the world,you probably have some insights into best practices that satisfy governments and military anddefense organizations.Can you offer a few major building blocks that perhaps folks that have been in a completelycommercial environment would need to start thinking more about as they try to think aboutreaching accreditation?Szakal: We have three broad categories here and weve broken each of the categories into a setof principles, what we call best practice attributes. One of those is secure engineering. Withinsecure engineering, for example, one of the attributes is threat assessment and threat modeling.
Another would be to focus on lineage of open-source. So, these are some of the attributes that gointo these large-grained categories.Unpublished best practicesYou’re absolutely right, we have thought about this before. Steve and I have talked a lot aboutthis. Weve worked on his secure engineering initiative, his SDLC initiative within Microsoft. Iworked on and was co-author of the IBM Secure Engineering Framework. So, these are livingexamples that have been published, but are proprietary, for some of the best practices out there.There are others, and in many cases, most companies have addressed this internally, as part oftheir practices without having to publish them.Part of the challenge that we are seeing, and part of the reason that Microsoft and IBM went tothe length of publishing there is that government customers and critical infrastructure wereasking what is the industry practice and what were the best practices.What weve done here is taken the best practices in the industry and bringing them together in away thats a non-vendor speciﬁc. So youre not looking to IBM, youre not having to look at theother vendors methods of implementing these practices, and it gives you a non-speciﬁc way ofaddressing them based on outcome.These have all been realized in the ﬁeld. Weve observed these practices in the wild, and webelieve that this is going to actually help vendors mature in these speciﬁc areas. Governmentsrecognize that, to a certain degree, the industry is not a little drunk and disorderly and we doactually have a view on what it means to develop product in a secure engineering manner andthat we have supply chain integrity initiatives out there. So, those are very important.Gardner: Somebody mentioned earlier that technology is ubiquitous across so many productsand services. Software in particular growing more important in how it affects all sorts ofdifferent aspects of different businesses around the world. It seems to me this is an inevitablestep that youre taking here and that it might even be overdue.If we can take the step of certiﬁcation and agreement about technology best practices, does thismove beyond just technology companies in the ecosystem to a wider set of products andservices? Any thoughts about whether this is a framework for technology that could becomemore of a framework for general commerce, Dave?Lounsbury: Well, Dana, you asked me a question Im not sure I have an answer for. Weve got aquite a task in front of us doing some of these technology standards. I guess there might be caseswhere vertical industries that are heavy technology employers or have similar kinds of securityproblems might look to this or there might be some overlap. The one that comes to my mindimmediately is health care, but we will be quite happy if we get the technology industry,standards and best practices in place in the near future.
Gardner: I didnt mean to give you more work to do necessarily. I just wanted to emphasize howthis is an important and inevitable step and that the standardization around best practices trustand credibility for lack of malware and other risks that comes in technology is probably going tobecome more prevalent across the economy and the globe. Would you agree with that, Andras?Szakal: This approach is, by the way, our best practices approach to solving this problem. Its anapproach thats been taken before by the industry or industries from a supply chain perspective.There are several frameworks out there that abstract the community practice into best practicesand use it as a way to help global manufacturing and development practices, in general, ensureintegrity.Our approach is not all that unique, but its certainly the ﬁrst time the technology industry hascome together to make sure that we have an answer to some of these most important questions.Gardner: Any thoughts, Steve?Lipner: I think Andras was right in terms of the industry coming together to articulate bestpractices. You asked a few minutes ago about existing certiﬁcations and beyond in the trust andassurance space. Beyond common criteria for security features, security products, theres reallynot much in terms of formal evaluation processes today.Creating a disciplineOne of the things we think that the forum can contribute is a discipline that governments andpotentially other customers can use to say, "What is my supplier actually doing? What assurancedo I have? What conﬁdence do I have?"Gardner: Dave?Lounsbury: I want to expand on that point a little bit. The white paper’s name, "The OpenTrusted Technology Provider Framework" was quite deliberately chosen. There are a lot ofpractices out there that talk about how you would establish speciﬁc security criteria or speciﬁcsecurity practices for products. The Open Trusted Technology Provider Forum wants to take astep up and not look at the products, but actually look at the practices that the providers employto do that. So its bringing together those best practices.Now, good technology providers will use good practices, when theyre looking at their products,but we want to make sure that theyre doing all of the necessary standards and best practicesacross the spectrum, not just, "Oh, I did this in this product."Szakal: I have to agree 100 percent. Were not simply focused on a bunch of security controlshere. This is industry continuity and practices for supply chain integrity, as well as our internalmanufacturing practices around the actual practice and process of engineering or softwaredevelopment, as well as supply chain integrity practices.
Thats a very important point to be made. This is not a traditional security standard, insomuch asthat weve got a hundred security controls that you should always go out and implement. Youregoing to have certain practices that make sense in certain situations, depending on the context ofthe product youre manufacturing.Gardner: Carrie, any suggestions for how people could get started at least from an educationalperspective? What resources they might look to or what maybe in terms of a mindset they shouldstart to develop as they move towards wanting to be a trusted part of a larger supply chain?Gates: I would say an open mindset. In terms of getting started, the white paper is an excellentresource to get started and understand how the OTTF is thinking about the problem. How we aresort of structuring things? What are the high-level attributes that we are looking at? Then,digging down further and saying, "How are we actually addressing the problem?"We had mentioned threat modeling, which for some -- if youre not security-focused -- might bea new thing to think about, as an example, in terms of your supply chain. What are the threats toyour supply chain? Who might be interested, if youre looking at malicious attack, in insertingsomething into your code? Who are your customers and who might be interested in potentiallycompromising them? How might you go about protecting them?I am going to contradict Andras a little bit, because there is a security aspect to this, and there is asecurity mindset that is required. The security mindset is a little bit different, in that you tend tobe thinking about who is it that would be interested in doing harm and how do you prevent that?Its not a normal way of thinking about problems. Usually, people have a problem, they want tosolve it, and security is an add-on afterwards. Were asking that they start that thinking as part oftheir process now and then start including that as part of their process.Szakal: But, you have to agree with me that this isnt your hopelessly lost techie 150-paragraphlist of security controls you have to do in all cases, right?Gates: Absolutely, there is no checklist of, "Yes, I have a Firewall. Yes, I have an IDS."Gardner: Okay. It strikes me that this is really a unique form of insurance -- insurance for thebuyer, insurance for the seller -- that they can demonstrate that they’ve taken proper steps -- andinsurance for the participants in a vast and complex supply chain of contractors and suppliersaround the world. Do you think the word "insurance" makes sense or "assurance?" How wouldyou describe it, Steve?Lipner: We talk about security assurance, and assurance is really what the OTTF is about,providing developers and suppliers with ways to achieve that assurance in providing theircustomers ways to know that they have done that. Andras referred to install the Firewall, and soon. This is really not about adding some security band-aid onto a technology or a product. Itsreally about the fundamental attributes or assurance of the product or technology that’s beingproduced.
Gardner: Very good. I think well need to leave it there. We have been discussing The OpenGroups new Open Trusted Technology Forum, The Associated Open Trusted TechnologyProvider Framework, and the movement towards more of an accreditation process for the globalsupply chains around technology products.I want to thank our panel. Weve been joined by Dave Lounsbury, the Chief Technology Ofﬁcerof The Open Group. Thank you.Lounsbury: Thank you, Dana.Gardner: Also, Steve Lipner, the Senior Director of Security Engineering Strategy inMicrosofts Trustworthy Computing Group. Thank you, Steve.Lipner: Thank you, Dana.Gardner: And also, Andras Szakal, he is the Chief Architect in the IBM Federal Software Groupand an IBMs Distinguished Engineer. Thank you.Szakal: Thank you so much.Gardner: And, also Carrie Gates, Vice President and Research Staff Member at CA Labs. Thankyou.Gates: Thank you.Gardner: Youve been listening to a sponsored podcast discussion in conjunction with The OpenGroup Conference here in San Diego, the week of February 7, 2011. Im Dana Gardner, PrincipalAnalyst at Interarbor Solutions. Thanks for joining and come back next time.Listen to the podcast. Find it oniTunes/iPod and Podcast.com. Download the transcript. Sponsor:The Open GroupTranscript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conferenceon the new Open Trusted Technology Forum and its impact on business and government.Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.You may also be interested in: • Examining the Current State of the Enterprise Architecture Profession with the Open Groups Steve Nunn • Infosys Survey Shows Enterprise Architecture and Business Architecture on Common Ascent to Strategy Enablers • The Open Groups Cloud Work Group Advances Understanding of Cloud-Use Beneﬁts for Enterprises