Blogger: Dan Blum

After discussing the concept of collaboration oriented architecture (COA) for some time, Jericho Forum released its COA position paper last month at the RSA and Infosecurity Europe conferences. The paper is now posted at http://www.opengroup.org/jericho/COA_v1.0.pdf.

For those who may be unfamiliar with Jericho Forum, it started as a user forum for discussing the problem of deperimeterization, wherein centralized firewalls become less effective as the mainstay of corporate security due to mobility, partnering, outsourcing, telecommuting and all those good things that happen as organizations become more geographically distributed and virtual.

The COA paper focuses on the need for business processes to operate across and between multiple organizations, potentially over untrusted networks such as the Internet. Users and endpoints must securely interact with services and applications controlled by multiple security domains.

The COA position paper builds on the Jericho Forum commandments, which are published at http://www.opengroup.org/jericho/commandments_v1.2.pdf. When reading the commandments, by the way, I find it helps to ignore the explanatory paragraphs, and just focus on the 11 statements of principle. This gets me away from nitpicking the explanations to death and into a state where I just accept them as a very good list of principles for operating securely over open networks.

The COA position paper spends much of its space describing the need for secure, open collaboration as well as principles, processes, standards and frameworks through which the collaboration might be achieved. Most of this doesn’t convey much new information to persons who already grasp the notion of deperimeterization and understand that security is about people, process and technology. But there were some really interesting bits in the section Recommended Solution/Response:

"The COA framework generalizes conventional architectures as follows. It provides:

• increased emphasis on the requirements listed under ‘principles’ below. These are traditionally only seen as external or ‘boundary’ interface concerns in enterprise architectures.
• a user repository (keyed on people identifiers) is generalized into a contract repository (keyed on relationship, or obligation identifiers). A contract repository records agreements, and the obligations and capabilities that ensue from them.
• an accounting log (keyed on system events) is generalized into a reputation repository (keyed on business events). A reputation repository records user actions and compares them to applicable contracts, and, depending on whether or not the actions are in accordance with the contract, upgrades or downgrades a reputation.

The architecture formed by combining SOA (Service Oriented Architecture) with available security protocols (SAML or other XML) is insufficient to support COA. The following elements are also valuable:  [Here, I shorten and paraphrase the list of bullet points]

• attribute brokers
• access brokers
• contract brokers
• policy language (like XACML 3.0)
• performance manager (builds audit logs and reputation systems)”

I wish that the COA position paper had spent more space discussing some of its recommended solutions. The notion of a reputation system (not just a repository) is something we’re hearing more and more about. There is also a growing awareness of the importance of intermediaries, or brokers, that can fairly represent the interests of multiple parties. Perhaps we’ll see this covered in some future Jericho Forum work.

PS: The last bit of COA, in the conclusion, was quite entertaining: “A fundamental shift in thinking is required to implement a COA, moving from the thinking of a hedgehog, an animal that rolls into a tight ball at any sign of threat, to that of a Strawberry Plant, which puts all its key genetic material securely on its outside, as well as sending out suckers to extend the plant’s domain

Blogger: Dan Blum

After discussing the concept of collaboration oriented architecture (COA) for some time, Jericho Forum released its COA position paper last month at the RSA and Infosecurity Europe conferences. The paper is now posted at http://www.opengroup.org/jericho/COA_v1.0.pdf.

For those who may be unfamiliar with Jericho Forum, it started as a user forum for discussing the problem of deperimeterization, wherein centralized firewalls become less effective as the mainstay of corporate security due to mobility, partnering, outsourcing, telecommuting and all those good things that happen as organizations become more geographically distributed and virtual.

The COA paper focuses on the need for business processes to operate across and between multiple organizations, potentially over untrusted networks such as the Internet. Users and endpoints must securely interact with services and applications controlled by multiple security domains.

The COA position paper builds on the Jericho Forum commandments, which are published at http://www.opengroup.org/jericho/commandments_v1.2.pdf. When reading the commandments, by the way, I find it helps to ignore the explanatory paragraphs, and just focus on the 11 statements of principle. This gets me away from nitpicking the explanations to death and into a state where I just accept them as a very good list of principles for operating securely over open networks.

The COA position paper spends much of its space describing the need for secure, open collaboration as well as principles, processes, standards and frameworks through which the collaboration might be achieved. Most of this doesn???t convey much new information to persons who already grasp the notion of deperimeterization and understand that security is about people, process and technology. But there were some really interesting bits in the section Recommended Solution/Response:

"The COA framework generalizes conventional architectures as follows. It provides:

• increased emphasis on the requirements listed under ???principles??? below. These are traditionally only seen as external or ???boundary??? interface concerns in enterprise architectures.
• a user repository (keyed on people identifiers) is generalized into a contract repository (keyed on relationship, or obligation identifiers). A contract repository records agreements, and the obligations and capabilities that ensue from them.
• an accounting log (keyed on system events) is generalized into a reputation repository (keyed on business events). A reputation repository records user actions and compares them to applicable contracts, and, depending on whether or not the actions are in accordance with the contract, upgrades or downgrades a reputation.

The architecture formed by combining SOA (Service Oriented Architecture) with available security protocols (SAML or other XML) is insufficient to support COA. The following elements are also valuable:  [Here, I shorten and paraphrase the list of bullet points]

• attribute brokers
• access brokers
• contract brokers
• policy language (like XACML 3.0)
• performance manager (builds audit logs and reputation systems)???

I wish that the COA position paper had spent more space discussing some of its recommended solutions. The notion of a reputation system (not just a repository) is something we???re hearing more and more about. There is also a growing awareness of the importance of intermediaries, or brokers, that can fairly represent the interests of multiple parties. Perhaps we???ll see this covered in some future Jericho Forum work.

PS: The last bit of COA, in the conclusion, was quite entertaining: ???A fundamental shift in thinking is required to implement a COA, moving from the thinking of a hedgehog, an animal that rolls into a tight ball at any sign of threat, to that of a Strawberry Plant, which puts all its key genetic material securely on its outside, as well as sending out suckers to extend the plant???s domain

The same day Julio's article appeared, his colleague Leslie Brooks Suzukamo filed an article about the challenges of leaves, something that's a big issue in Minneapolis, covered with the leafy menaces: 200,000 of the suckers that Gipper said caused pollution (as an allergy sufferer, I agree with him). Trees leaf out and reduce signal propagation, and that's something that US Internet Wireless has had to deal with. They upped their density of nodes from 26 to 42, which appears to be about the norm for both starting and ending points in muni netwrk planning.

This article goes into a little more depth about the problems with dead areas due to absent or problematic utility poles (it's always about the poles). USIW plans to install some of its own poles to fill in those areas.

Nearby, Steve Alexander notes a pioneering wireless network at the University of Minnesota has become obsolete. The U of M is replacing its 7-year-old 802.11b network with an 802.11n system. As is true in most older networks, they've got a melange of gear that's a headache to keep running and in sync. They'll spend $3.5m to cover about 40 percent of the campus with N, replacing a current similar coverage area. They may expand the network and add VoIP in the future.

The university and USIW are discussing interconnecting their networks for roaming.

I have been thinking more about the RSA Bloggers Meet up that I wrote about yesterday. That got me thinking about how bloggers are so socially interactive and probably explains why we are such suckers for things like Twitter, Facebook, etc. Than I started thinking (I know a lot of thinking going on here, where it goes I don't know) about how blogging has changed in the years I have been at it. While blogging is bigger than ever, alot of the social network around has changed. For the most part, for the better I would add. However, one thing that has changed for me anyway, is Technorati.

When I first started blogging Technorati was the Google of blogs. In fact on the not too rare times that it took for ever to search on Technorati I would think it was being overrun with queries. Putting Technorati tags into my articles was elementary and mandatory. I used to check my Technorati rankings everyday and judged my blogs popularity by its "authority". I would eagerly comb the rankings to see who linked to my site. Then a funny thing happened. Technorati started making so many changes, when I would log in I couldn't find what I was looking for anymore. Than it would seem that no matter what I did, unless I went in and manually pinged my site, it would not update. After a while I got tired of manually pinging from Technorati and my authority started going down.  Frankly, I didn't even care. Then after a while, I couldn't even figure out where to go to ping my site manually on Technorati anymore. It has just lost all relevance for me as a blogger. The shame is I think the blogger community was what Technorati was about.

Instead, I think Technorati has gone after the blog reader community. I can see the wisdom there. There are a lot more readers than their are writers. However, I am not sure they do a great job on that count either. Both Google and Yahoo and even MSN do a good job of blog coverage now. So do blog readers have any allegiance or affinity for Technorati? Does it do anything for them? I don't know. What I do know if they would have done a better job of keeping me abreast of the changes to their site and showing me how to use it and get value out of the service, I would spend more time there and not find it so irrelvant as I do now.

This is something I am going to discuss with my blogger buddies at the RSA bloggers meet up. With a "who's who" of security bloggers in attendance, what would you talk to them about?

Heavier than even giant squid, colossal squid (Mesonychoteuthis hamiltoni) have eyes as wide as dinner plates and sharp hooks on some of their suckers. The new specimen weighs in at an estimated 990 pounds (450 kilograms).