Trusting the Chain
Security is in many ways a shared, communal effort. When you're a company that's dependent on a variety of other technology suppliers and providers, how can you be assured that the other participants are adhering to best practices and taking the proper precautions? An accreditation approach may be the way to go.
The Open Group Trusted Technology Forum, also known as the "OTTF," is designed to help technology acquirers and buyers safely conduct global procurement and supply chain commerce.
The security risk for many companies and organizations has only grown, even as these companies form essential partnerships and integral supplier relationships. So how can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?
Here to help us better understand how established, standard best practices and an associated accreditation approach can help make supply chains stronger and safer is Dave Lounsbury, the chief technical officer at The Open Group; Steve Lipner, senior director of security engineering strategy in Trustworthy Computing Security at Microsoft; Joshua Brickman, director of the federal certification program office at CA Technologies; and Andras Szakal, vice president and CTO of IBM's federal software group. The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.
Listen to the podcast (30:36 minutes).
Here are some excerpts:
Dave Lounsbury: A great quote coming out of [The Open Group Conference] is that we have moved the entire world's economy to being dependent on the Internet, without a backup plan. Anyone who looks at the world economy will see, not only are we dependent on it for exchange of value in many cases, but even for information about how our daily lives are run, traffic, health information, and things like that.
It's becoming increasingly vitally important that we understand all the aspects of what it means to have trust in the chain of components that deliver that connectivity to us, not just as technologists, but as people who live in the world.
Steve Lipner: And the attackers are becoming more determined and more visible across the Internet ecosystem. Vendors have stepped up to improve the security of their product offerings, but customers are concerned. A lot of what we're doing in The Open Group and in the OTTF is about trying to give them additional confidence of what vendors are doing, as well as inform vendors what they should be doing.
Joshua Brickman: One of the things that I really like about this group is that you have all of the leaders, everybody who is important in this space, working together with one common goal.
One of the things we're thinking about is whether there's a 100 percent fail-safe solution to cyber. And there really isn't. There is just a bar that you can set, and the question is how much do you want to make the attackers spend before they can get over that bar? What we're going to try to do is establish that level, and working together, I feel very encouraged that we are getting there, so far.
Andras Szakal: We're going to develop a standard, or are in the process of developing a specification and ultimately an accreditation program that will validate suppliers and providers against that standard.
It's focused on building trust into a technology provider organization through this accreditation program, facilitated through either one of several different delivery mechanisms that we are working on. We're looking for this to become a global program, with global partners, as we move forward.
Lounsbury: Any electronic or information system now is really built on components and software that are delivered from all around the globe. We have software that's developed in one continent, hardware that's developed in another, integrated in a third, and used globally.
So, we really do need to have the kinds of global standards and engagement that Andras has referred to, so that there is that one bar for all to clear in order to be considered as a provider of trusted components.
[There has] been a change in these attacks, from just nuisance attacks, to ones that are focused on monetization of cyber crimes and exfiltration of data. So the spectrum of threats is increasing a lot. More sophisticated attackers are looking for narrower and narrower attack vectors each time. So we really do need to look across the spectrum of how this IT technology gets produced in order to address it.
Lipner: The tagline we have used for The Open Group TTF is "Build With Integrity, Buy With Confidence." We certainly understand that customers want to have confidence in the hardware and software of the IT products that they buy.
We believe that it's up to the suppliers, working together with other members of the IT community, to identify best practices and then articulate them, so that organizations up and down the supply chain will know what they ought to be doing to ensure that customer confidence.
Szakal: [To that goal], we completed the white paper earlier this year, in the first quarter. The white paper was visionary in nature, and it was obviously designed to help our constituents understand the goals of the OTTF.
However, in order to actually make this a normative specification and design a program, around which you would have conformance and be able to measure suppliers' conformity to that specification, we have to develop a specification with normative language.
We're finishing that up as we speak and we are going to have a first draft here within the next month. We're looking to have that entire specification go through company review in the fourth quarter of this year.
Simultaneously, we'll be working on the accreditation policy and conformance criteria and evidence requirements necessary to actually have an accreditation program, while continuing to liaise with other evaluation schemes that are interested in partnering with us. In a global international environment, that's very important, because there exist more than one of these regimes that we will have to exist, coexist, and partner with.
Over the next year, we'll have completed the accreditation program and have begun testing of the process, probably having to make some adjustments along the way. We're looking at sometime within the first half of 2012 for having a completed program to begin ramping up.
The forum itself continues to liaise with the government and all of our constituents. As you know, we have several government members that are part of the TTF and they are just as important as any of the other members. We continue to provide update to many of the governments that we are working with globally to ensure they understand the goals of the TTF and how they can provide value synergistically with what we are doing, as we would to them.
Brickman: We've made tremendous progress on wrapping up our framework and getting it ready for the first review.
We've also been meeting with several government officials. I can't say who they are, but what's been good about it is that they're very positive on the work that we're doing, they support what we are doing and want to continue this discussion.
It's very much a partnership, and we do feel like it's not just an industry-led project, where we have participation from folks who could very much be the consumers of this initiative.
Lounsbury: A very clear possible outcome is that there will be a set of simple guidelines and ones that can be implemented by a broad spectrum of vendors, where a consumer can look and say, "These folks have followed good practices. They have baked secure engineering, secure design, and secure supply chain processes into their thing, and therefore I am more comfortable in dealing with them as a partner."
Of course, what the means is that, not only do you end up with more confidence in your supply chain and the components for getting to that supply chain, but also it takes a little bit of work off your plate. You don't have to invest as much in evaluating your vendors, because you can use commonly available and widely understood sort of best practices.
From the vendor perspective, it's helpful because we're already seeing places where a company, like a financial services company, will go to a vendor and say, "We need to evaluate you. Here's our checklist." Of course, the vendor would have to deal with many different checklists in order to close the business, and this will give them some common starting point.
Of course, everybody is going to customize and build on top of what that minimum bar is, depending on what kind of business they're in. But at least it gives everybody a common starting point, a common reference point, some common vocabulary for how they are going to talk about how they do those assessments and make those purchasing decisions.
Lipner: If we achieve the sort of success that we are aiming for and anticipating, you'll see requirements for the TTF, not only in RFPs, but also potentially in government policy documents around the world, basically aiming to increase the trust of broad collections of products that countries and companies use.
Brickman: One of the things that will happen is that as companies start to go out and test this, as with any other standard, the 1.0 standard will evolve to something that will become more germane, and as Steve said, will hopefully be adopted worldwide.
I don't think anybody wants it to become a behemoth. We want it to be agile, useful, and certainly something readable and achievable for companies that are not multinational billion dollar companies, but also companies that are just out there trying to sell their piece of the pie into the space. That's ultimately the goal of all of us, to make sure that this is a reasonable achievement.
Lounsbury: This is another thing that has come out of our meetings. We've heard a number of times that governments, of course, feel the need to protect their infrastructure and their economies, but also have a realization that because of the rapid evolution of technology and the rapid evolution of security threats that it's hard for them to keep up. It's not really the right vehicle.
There really is a strong preference. The U.S. strategy on this is to let industry take the lead. One of the reasons for that is the fact that industry can evolve, in fact must evolve, at the pace of the commercial marketplace. Otherwise, they wouldn't be in business.
So, we really do want to get that first stake in the ground and get this working, as Joshua said. But there is some expectation that, over time, the industry will drive the evolution of security practices and security policies, like the ones OTTF is developing at the pace of commercial market, so that governments won't have to do that kind of regulation which may not keep up.
Szakal: One of our goals is to ensure that the viability of the specification itself, the best practices, are updated periodically. We're talking about potentially yearly. And to include new techniques and the application of potentially new technologies to ensure that providers are implementing the best practices for development engineering, secure engineering, and supply chain integrity.
It's going to be very important for us to continue to evolve these best practices over a period of time and not allow them to fall into a state of static disrepair.
I'm very enthusiastic, because many of the members are very much in agreement that this is something that needs to be happening in order to actually raise the bar on the industry, as we move forward, and help the entire industry adopt the practices and then move forward in our journey to secure our critical infrastructure.
Lounsbury: The reason we've been able to make the progress we have is that we've got the expertise in security from all of these major corporations and government agencies participating in the TTF. The best way to maintain that currency and maintain that drive is for people who have a problem, if you're on the buy side or expertise from either side, to come in and participate.
You have got the hands-on awareness of the market, and bringing that in and adding that knowledge of what is needed to the specification and helping move its evolution along is absolutely the best thing to do.
That's our steady state, and of course the way to get started on that is to go and look at the materials. The white paper is out there. I expect we will be doing snapshots of early versions of this that would be available, so people can take a look at those. Or, come to an Open Group Conference and learn about what we are doing.
Szakal: As vendors, we'd would like to see minimal regulation and that's simply the nature of the beast. In order for us to conduct our business and lower the cost of market entry, I think that's important.
I think it's important that we provide leadership within the industry to ensure that we're following the best practices to ensure the integrity of the products that we provide. It's through that industry leadership that we will avoid potential damaging regulations across different regional environments.
We certainly wouldn't want to see different regulations pop-up in different places globally. It makes for very messy technology insertion opportunity for us. We're hoping that by actually getting engaged and providing some self-regulation, we won't see additional government or international regulation.
Lipner: One of the things that my experience has taught me is that customers are very aware these days of security, product integrity, and the importance of suppliers paying attention to those issues. Having a robust program like the TTF and the certifications that it envisions will give customers confidence, and they will pay attention to that. That will change their behavior in the market even without formal regulations.
Brickman: Industry setting the standard is an idea that has been thrown around a while, and I think that it's great to see us finally doing it in this area, because we know our stuff the best.
We're going to try to set up a standard, whereby we're providing public information about what our products do and what we do as far as best practices. At the end of the day the acquiring agency, or whatever, is going to have to make decisions, and they're going to make intelligent decisions, based upon looking at folks that choose to go through this and folks that choose not to go through it.