OTTF - The Open Group

Transcription

Managing Cybersecurity Threats by engaging with Accredited Open Trusted Technology Providers -‐ Organizations that conform to the Open Trusted Technology Provider ™ Standard – Mitigating Maliciously Tainted and Counterfeit Products (O-‐TTPS) “Build with Integrity- Buy with Confidence™”
Sally Long, Director, The Open Group Trusted Technology Forum [email protected]
Copyright (C) The Open Group 2015
0
Presentation Overview
q 
Background & Context:
§  Brief overview of The Open Group and The Open Group
Trusted Technology Forum (OTTF)
q 
The Supply Chain Challenge as it applies to:
§  COTS ICT
§  Critical Infrastructure
q 
Industry Response to the Challenge
§  The Open Trusted Technology Provider™ Standard –Mitigating
Maliciously Tainted and Counterfeit Products (O-TTPS)
§  O-TTPS Accreditation Program
q 
Current State of the OTTF:
§  Milestones, Roadmap and Global Outreach Efforts
q 
What You Can do Now
1
The Open Group Membership
Argentina
Australia
Austria
Belgium
Brazil
Canada
China
Colombia
Czech Republic
Denmark
Finland
France
Germany
Hong Kong
India
Italy
Japan
Luxembourg
Malaysia
Poland
Qatar
Russian Federation
Saudi Arabia
Singapore
South Africa
Over 40,000 participants from
Spain
Over 95 countries
Sweden
Over 500 memberships with
Switzerland
HQs in 40 countries from
Taiwan
6 continents
Turkey
Mexico
UK
Netherlands
United Arab Emirates
New Zealand
USA
Norway
2
What Does The Open Group Do?
q 
Membership & Events
§  International & Regional Conferences
§  Forums:
ArchiMate® Architecture, Enterprise Management Forum, IT4IT™, Open
Platform 3.0™, Real-time & Embedded Systems, Security, Trusted
Technology Forum, Platform Base Working Group
q 
Standards and Certification - Over 25 years experience
Voluntary consensus standards and certification programs through The Open
Group Standards Process consistent with OMB Circular A-119
§  People & Organizations: ArchiMate®, POSIX®, TOGAF®, UNIX®,
Open Trusted Technology Provider™
§  Professional: TOGAF® , ArchiMate®, Certified Architect (Open CA),
Certified IT Specialist (Open CITS), Open FAIR
§  Consortia: Hotel Technology Next Generation (HTNG), North American
State and Provincial Lotteries (NASP)L, Near Field Communication Forum
(NFC Forum) NFC Forum, UNIX®, WAP, Architecture Tools
§  Defense Standards: DirecNet, FACE™
3
The Open Group
CyberSecurity Activities
Security
Forum
Open Standards & Best
Practices
Real Time &
Embedded
Systems Forum
Open Standards
•  Security architecture
•  MILS
•  Information security
management
•  Software assurance
•  Risk management
standards, best practices,
and certification
•  High assurance
certification
•  Dependability
•  Compliance & security
automation
4
Trusted
Technology
Forum
Supply Chain Security
Standards, Best Practices
•  Open Trusted Technology
ProviderTM (O-TTPS)
(Standard)
•  Addressing maliciously
tainted and counterfeit
products
•  O-TTPS Accreditation
Program
The Supply Chain Challenge and
the OTTF
2014
The Open Group Trusted Technology Forum (OTTF)
q 
Government-industry roundtable discussion in 2009
§  Initiated by DoD AT&L(SE), DoD-CIO and The Open Group
q 
Government raised these issues
§  Moving from high assurance customized solutions to Commercial Off
The Shelf (COTS) Information Communication Technology (ICT)
§  Need to confidently identify trusted COTS ICT products/providers
q 
Government recommendation
§  Establish consensus on best of breed best practices based on
industry experience to create a standard that enables all providers to
conform to those best practices when building products.
§  Create an accreditation program brand that identifies trusted
technology providers who conform to the standard
q 
Response to the recommendation – the OTTF
§  Providers, integrators, government agencies, third party labs from
around the globe responded to the recommendation
6
The Open Group Trusted Technology Forum
A global industry-led initiative defining best practices for secure engineering and supply chain
integrity so that you can “Build with Integrity and Buy with Confidence™”
7
The Supply Chain Challenge
for COTS ICT Providers
Product certification is not enough.
Need assurance that best practices
are followed through product life
cycle including global supply chains.
Governments
Service Providers
Procure from an Accredited
Open Trusted Technology
Provider™
Consumers
Enterpris
e
s
“Build with Integrity – Buy with Confidence ”
Challenges:
•  Need to secure our Global Supply Chains
•  Need a full life cycle approach
•  Need a standard of best practices for all constituents in the chain
•  Need accreditation to help assure conformance to the standard
•  Need public registry to identify trusted/accredited constituents
•  Need customers to reward trusted/accredited constituents thru procurement
8
Technology Supply Chain Threat Matrix
Taint
Upstream
Counterfeit
Provider
Downstream
Malware
Malicious code
(masquerading as
vulnerabilities)
Unauthorized
“Parts”
Unauthorized
Configuration
Scrap/ Substandard
Parts
Unauthorized
Production
9
Upstream
Provider
Downstream
A Threat-Based Problem
Global supply chain security for COTS products
Commercial Off the Shelf Products are developed and used globally
COTS products rely on components that are often globally sourced
THREATS
COTS products are integrated into Critical Infrastructure,
Government systems and Commercial solutions
Counterfeit
product
Maliciously
tainted
Tainted
Insiders
10
Obsolescence
Many
others …
The product
does what it’s
intended to do
functionally &
performs at the
required
performance
levels
Functional, &
Quality
Requirements for
Products
Security
Requirements for
Products
Functional,
Quality, Security
& Integrity
Process
Requirements for
Operators
Security &
Integrity Process
Requirements for
Providers
11
The product
meets certain
security assurance
levels based on
requirements of
the environment
into which it’s
placed and the
acceptable level of
risk for that
environment.
Operator
organizations must
ensure security and
integrity of systems
during operation.
In addition operator
organizations must
have policies in place
for each of the four
categories:
- all systems function
& perform well
- products comply
with security reqs.
- They buy from
trusted providers.
- Systems are secure
during operation &
recovery
Functional, &
Quality
Requirements
for Products
Security
Requirements
for Products
Functional,
Quality, Security
& Integrity
Process
Requirements
for Operations
Security &
Integrity Process
Requirements
for Providers
12
(O-TTPS)
Integrators and
providers who
build IT products
must follow best
practices for
security, integrity
- design thru
disposal (both inhouse and in their
supply chains).
Reduces risk of
vulnerabilities
(potential malware
insertion sites),
tainted & counterfeit
components, before
the products make it
into the critical
environment.
The O-TTPS
The first version of the
O-TTPS addresses the
two threats that have
been identified as the
most pressing:
§  Maliciously Tainted
§  Counterfeit Products
13
O-TTPS Standard – Mitigating Risks for
Tainted and Counterfeit Products
q 
q 
q 
A tainted product is “produced by the provider and is acquired through
reputable channels but has been tampered with maliciously”. - Could
result in:
§  product failure, degraded performance, can enable malware
insertion, weakened security mechanisms allowing rogue
functionality and potentially critical damage
§  enabled IP and Identity theft, damage to critical infrastructure
operations – which could lead to catastrophic results for citizens
A counterfeit product is “produced other than by or for the provider, or is
supplied by other than a reputable channel, and is represented as
legitimate”. – Could result in:
§  For customers: if product fails at critical juncture – loss of
productivity, revenue
§  For providers: loss of revenue stream and brand damage
Double risk if counterfeit products are also tainted
14
O-TTPS: Mitigating Maliciously Tainted
and Counterfeit Products
q 
q 
q 
The Open Trusted Technology ProviderTM Standard (O-TTPS) released in
April, 2013 – 50 page document on requirements for organizational best
practices
The result of over 3 years of collaborative consensus-based effort
Apply across product life cycle. Some highly correlated to threats of maliciously
tainted and counterfeit products - others more foundational but considered
essential
Design
Sourcing
Build
Fulfillment
Technology
Development
q 
Distribution
Sustainment
Disposal
Supply Chain
2 areas of requirements – often overlap depending on product and provider:
§  Technology Development - mostly under the provider’s in-house supervision
§  Supply Chain activities mostly where provider interacts with third parties who
contribute their piece in the product’s life cycle
15
O-TTPS: Technology Development
q 
Product Development/Engineering Requirements in:
§ 
§ 
§ 
§ 
§ 
q 
Software/Firmware/Hardware Design Process
Development/Engineering Process and Practices
Configuration Management
Quality/Test Management
Product Sustainment Management
Secure Development/Engineering Requirements in:
§ 
§ 
§ 
§ 
§ 
§ 
Threat Analysis and Mitigation
Run-time Protection Techniques
Vulnerability Analysis and Response
Product Patching and Remediation
Secure Engineering Practices
Monitor and assess the impact of changes in the threat landscape
16
O-TTPS: Supply Chain Activities
q 
Supply Chain Requirements In:
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
§ 
Risk Management
Physical Security
Access Controls
Employee and Supplier Security
Business Partner Security
Supply Chain Security Training
Information Systems Security
Trusted Technology Components
Secure Transmission and Handling
Open Source Handling
Counterfeit Mitigation
Malware Detection
17
OTTF Principles
The OTTF is developing their standards and accreditation
programs according to these principles:
§  Practical and effective - Practitioner based, evidence that it
works in the field
§  Reasonable - Achievable and implementable by a wide
variety of vendors and stakeholders
§  Affordable - Reasonably cost effective to implement
§  Open - Based on open standards and recognized industry
best practices – publically available to all
§  Organizational/Process Based Accreditation - Flexible
enough that an organization can choose their own scope of
accreditation (product, product-line, entire organization)
18
The O-TTPS Accreditation Program
Based on
Warranty from
Organization &
Conformance
Assessment
Governance
and
Operation
Scope
Flexible.
Whole
organization
to one product
Accreditation
Authority: Program
Operated by The
Open Group
OTTF: develops and
maintains Standard Membership is open
to all
O-TTPS Accreditation Program
Vendor neutral program: Accreditation Authority responsible
for accreditation of 3rd party assessors,
appeals, certificates, logo-use, consistency
Success!
across accreditations
Application
Open to all
Component Suppliers,
Providers, Integrators,
Distributors and
Resellers–
Open
Trusted
Technology
Providers™
V e r i f i e s
Conformance
O-TTPS Recognized 3rd Party Assessors
19
Program logo used
to support
accreditation
claims
Accreditation Program Description
q 
q 
q 
q 
q 
q 
q 
q 
q 
The Applicant can be a Technology Provider, Component Supplier,
Integrator, Distributor (Value-Add), Reseller
The Applicant warrants and represents their conformance to requirements
throughout their declared Scope of Accreditation – that is they claim that they
follow the best practices through out the product life-cycle, including supply
chain cycles for all of the products in their declared Scope
Scope up to Applicant: product, product(s), product-line, organization, etc.
Warranty backed by evidence of conformance and assessment of evidence by
3rd Party Assessors
The Open Group will operate vendor-neutral program, provide oversight and
consistency across applications
Successful Applicant gets certificate and use of Trademark and Logo
The Open Group manages Trademark and Logo use, problem reporting and
appeals process.
The accreditation period is 3 years before required renewal
Launch of a public O-TTPS accreditation program December 2014 – open to
any organization – don’t need to be a member
20
Assessments by 3rd Party Labs
q 
Publically Available Assessment Procedures
§  Help achieve objectivity, repeatability, and consistency across
accreditations Geared specifically to:
§  Providers, Component Suppliers, Integrators and Value Add
Distributors, and Resellers (Non-Value Add)
q 
Two types of requirements/evidence to be assessed:
process and implementation
§  Process – Need evidence there are documented processes
§  Implementation – Need evidence that processes were
implemented
q 
Formal Recognition of O-TTPS 3rd party labs
q 
q 
Must meet established criteria and assessors must pass OTTPS Assessor exam.
Receive certificates and listed on public registry
23
O-TTPS Recognized Assessors
•  atsec information security corporation
•  EWA – Canada
•  Booz Allen Hamilton (BAH)
24
O-TTPS Recognized Assessor
Requirements
Recognized Assessor
Company
Competent assessors
Accepted standards:
•  ISO/IEC 17020:
2012: Conformity
Assessment – Requirements
for the operation of various
types of bodies performing
inspection,
•  ISO/IEC 17021:2011:
Conformity Assessment –
Requirements for bodies
providing audit and
certification of management
systems,
•  ISO/IEC 17025:2005:
General requirements for the
competence of testing and
calibration laboratories
Accepted qualifications:
The Open Group Program
relies on existing
compliance with industry
norms using standards
commonly specified for
information assurance
(IA) assessor companies
and process assessors
25
• 
Lead auditor
•  ISO/IEC 27001
•  ISO 9001
• 
CMMI-DEV appraisers
• 
ISO/IEC 15408 or Common
Criteria evaluator (with
experience in evaluating lifecycle assurance requirements)
• 
ISO/IEC 19790 or FIPS
140-2 tester with experience in
testing the process
requirements of that standard
O-TTPS Recognized Assessor
Requirements
Recognized Assessor
Company
Has established a
process for
performing O-TTPS
accreditations in
accordance with its
own established
management system
requirements and
The Open Group
Assessment
Procedures
Competent assessors
Have sufficient skills
in:
•  Supply chain
management
terminology and
techniques
The Open Group
Program builds on
existing standards
assuring that Subject
Matter Expertise is
established in the
assessor companies
26
•  Technical knowledge of
O-TTPS Attributes &
the assessment
program
•  Have successfully
completed the
O-TTPS Assessor
Exam
OTTF Milestones and Time Frames
2010
2011
2012
2013
2014
2014
Q1 Q2 Q3 Q4` Q1 Q2 Q3 Q4` Q1 Q2 Q3 Q4` Q1 Q2 Q3 Q4` Q1 Q2 Q3 Q4`
Early Industry
Collaboration
O-TTPS v.
1.0
published
April 2013
Forum Launched
Framework White
Paper Published
Standard Development:
Snapshot => Publish V 1.0
Define Conformance Criteria,
Conduct Pilot Program
Define & Approve
O-TTPS Accreditation Program
Implement and Launch
Public O-TTPS Accreditation Program
27
Conducted
Pilot of the
O-TTPS
Accreditation
Feb 3, 2014
Announce:
1. Public Launch
of Accreditation
Program
2. First
Accredited Open
Trusted
Technology
Provider™
3. First two OTTPS Recognized
Assessor Labs
The Open Group Trusted Technology Forum
(OTTF) Roadmap
Items
4Q2014
1Q2015
2Q2015
ISO PAS
Submission Open Trusted
Technology
Provider Standard
(O-TTPS) V 1.1
ISO
Review
ISO Ballot
If Approved
work with
ISO to
Publish
O-TTPS 1.1.
Translation
(Simplified
Chinese)
Review
Review
Publish
O-TTPS
Assessment
Procedures –
Revisions
Review
V1.1
Publish
V1.1
Consider
ISO PAS
28
3Q2015
4Q2015
Develop
V1.2
Review
V1.2
The OTTF Roadmap (continued)
Items
4Q2014
1Q2015
2Q2015
Review
Publish
3Q2015
4Q2015
O-TTPS Mapping to
other standards:
Map to:
Common Criteria (CC) &
NIST Cybersecurity
Framework (NCF) …
Develop
Develop
O-TTPS 2.0
29
Develop
OTTF– Additional Publications
Publications
Type
Date
O-TTPS Recognized Assessor Program: Update
Training Materials and Assessor Exam
Accreditation
Q2/15
Training Materials for Accreditation Applicants &
Market Adoption Materials for Customers
Accreditation
Q2/15
O-TTPS Mapping Table(s): Update and Provide
Additional Mappings
Accreditation
Q3/15
O-TTPS Accreditation Program: Update Supporting
Documents
Accreditation
Q3/15
30
Outreach & Harmonization
q 
Approach
§  Communicate the facts
§  GAO Report: mentions O-TTPS as one of the two most cited supply chain
standards efforts in their report
§  References to O-TTPS in NIST SP-161 draft
§  NASA RFP recommendation included O-TTPS in (SEWP V 2013)
§  Expect customers to begin demanding O-TTPS compliance
§  Mapping to NIST Cybersecurity Framework
§  Leverage opportunities to inform stakeholders
§  Conference speaking engagements
§  Concentrate on the strength of our content
§  Mapping our content to other standards
§  Use public sources and social media
§  Develop demand among the broad community through the value proposition
not regulation
§  Focus on priorities
31
Offers Holistic Approach to Securing Global Supply Chains
Customer/Acquirer
Demands Accreditation
certificate as evidence of
conformance to Open
Trusted Technology
Provider™ standards
Standards Body
Integrator, Distributors, Resellers
Will seek business partners who meet Open
Trusted Technology Provider™ requirements
Business
Partners
Will seek ways of achieving
market up-take/ integrity
of standards
Standards
Process
Alliance
Accreditation
Component
Suppliers
Process
Business Partners
May be hardware, software,
global, open source - or not
- multiple supplier layers
Provider
Will seek business partners who meet
Open Trusted Technology Provider™
requirements
Accreditation/
Accreditation Body
Must be independent &
vendor/technology-neutral
What You Can Do Now ….
q 
Technology Providers (OEM’S, component suppliers (HW or
SW), Integrators, Value-add Resellers (VARs), Distributors:
§  Get prepared: Go to http://ottps-accred.opengroup.org/home-public
§  Download the documents and read them – everything is publically available –
learn what’s required, and what you need to demonstrate conformance.
§  Improve the integrity and the security of your processes.
§  Get accredited
§  Encourage your technology partners (Integrators, OEMs, VARs,
Distributors, Component Suppliers) to get accredited.
q 
Customers (government, commercial):
§  Make your Suppliers, Integrators, VARs aware of O-TTPS.
§  Encourage them to learn about it, prepare and get accredited.
§  Let them know their accreditation is a differentiator in procurement.
q 
Customers, Technology Providers, Assessors:
§  Consider joining the OTTF (Forum) to evolve the standard and
accreditation program in a way that meets your needs.
33
Resources
q  The
Open Group Trusted Technology Forum (OTTF)
q  The OTTF Information Sheet Handout
q  The O-TTPS (Standard) Version 1.1
q  The Open Group represents OTTF at Congress
q  OTTF Vendor Testimonials
q  The O-TTPS Accreditation Website
q  OTTF Podcast (Dana Gander with: Brickman, Lipner,
Lounsbury, and Szakal)
q  Press Release Feb 3, 2014 – Launch of the O-TTPS
Accreditation Program
q The Open Group
34
Thank You!
For more information contact:
Mike Hickey [email protected]
or
Sally Long [email protected]
2014

OTTF - The Open Group

Transcription

Similar documents

Bulgarian Accreditation Services CERTIFICATE OF ACCREDITATION

ISO Certificate of Environment Management System NORPACK

sistema cetys universidad - Imperial Valley Renewable Energy Summit

March 2000 Dom. Rep

September 2003 Letter from U.S. Secretary of Education

2016 TheWeatherChannel

Mesalands Community College Action Letter

Policy Title: Board of Trustees - The Higher Learning Commission

Computer Settings For NAUTIKOS

Promoting Quality Standards for Distance Education