1 / 8

Introduction to the Security Forum

Jet Propulsion Laboratory California Institute of Technology 4800 Oak Grove Drive Pasadena, California 91109-8099 J. Steven Jenkins, Ph.D. Principal Engineer +1 818 354-6055 steven.jenkins@jpl.nasa.gov. Introduction to the Security Forum. What We Used to Do.

Leo
Télécharger la présentation

Introduction to the Security Forum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jet Propulsion Laboratory California Institute of Technology 4800 Oak Grove Drive Pasadena, California 91109-8099 J. Steven Jenkins, Ph.D. Principal Engineer +1 818 354-6055 steven.jenkins@jpl.nasa.gov Introduction to the Security Forum

  2. What We Used to Do • Security Standards Development • X/Open Basic Security Services (XBSS) • Common Data Security Architecture (CDSA) • With reference implementation • Authorization API (AZN API) • Work on PKI • Architecture (APKI) • DCE/PKI Integration

  3. Why We Don’t Do That Now • Security standards development is well addressed by some other organizations • IETF, OASIS • Some high-profile standards did not achieve the desired uptake and effect • CDSA, AZN • There are significant challenges in security that are not being addressed anywhere on a systematic basis

  4. Classical Security Analysis • Classical model in a cartoon • Analyze threats • Analyze vulnerabilities • Analyze risks • Design and implement countermeasures • What’s wrong with the classical model? • It starts with bad things to prevent • It assumes all risk is bad • The result often prevents good things

  5. Our Model Is Different • We believe that security exists to ensure that business gets done according to policy • Policies are business-driven, for example: • Comply with the law because you want to stay in business • Respect your customers because you want to keep them • Understand your risks and make business decisions about which to accept and how

  6. Managing Risk • Risk is not necessarily a bad thing • Every business transaction carries risk • Some ways to deal with risk • Disclaim it • Transfer it by contract • Hedge against it • Insure against it • Accept it • Security helps you manage risk by design

  7. Active Loss Prevention • The Open Group has had an Active Loss Prevention Initiative for several years • It provides a framework for addressing IT issues related to risk and loss in the context of law, insurance, and business • The ALP Initiative is now integrated into the Security Forum • A welcome addition because their aims are the same as ours

  8. Summary • Our mission is to bridge the gap between business objectives and traditional “security” technology • Clear ways to talk about business security • Analytical tools to turn objectives into design • Identification of gaps in both understanding and technology • What are the emerging requirements? • Better understanding between buyers and suppliers of IT

More Related