Standards organizations share the stage at RSA

Technology trade shows have always been occasions for companies to trot out their new products for display to a curious public. Increasingly, however, they are also a forum in which industry organizations publicize their latest initiatives, guidelines and working groups.

That trend is evident at the RSA Conference, an electronic security event being held in San Francisco from April 13 through April 17, where no fewer than three separate technology standards organizations will be making announcements.

Perhaps the highest profile development on the standards front comes from The Liberty Alliance Project, which appears ready to release draft specifications for the next phase in its network identity architecture on Monday.

While declining to divulge details about the announcement on Monday, Simon Nicholson of Sun Microsystems Inc., chair of the Liberty Alliance's business and marketing expert group, said the new draft specifications will "fill out the blueprint for building and deploying personalized identity-based Web services."

"Web services" refers to software applications that can exchange information without regard to the hardware platform, operating system or network topology used on either side of the exchange.

In an announcement in March, the consortium aimed the release of two draft specifications at mid-2003: the Identity Web Services Framework (ID-WSF) and the Identity Services Interface Specifications (ID-SIS). A source close to the Liberty Alliance this week said a draft of the ID-WSF specifications will be unveiled at RSA.

Those specifications outline the components needed to build interoperable Web services that protect user identity and the privacy of data that is exchanged.

The Liberty Alliance will also be touting the progress made since the July 2002 launch of Phase 1 of its architecture, the Identity Federation Framework (ID-FF). That framework provided standards for simplified sign-on and the linking of user accounts among businesses with established relationships.

Representatives from eighteen "big name" companies will be on hand to demonstrate interoperability among systems based on Liberty Alliance specifications, according to Nicholson.

Those services will range from projects that are in the "late beta" phase of testing to those that are in production, and they will highlight how the Liberty Alliance specifications can be used to make user sign-on easier and less complicated, he said.

Also at RSA, a group of application security vendors affiliated with the Organization for the Advancement of Structured Information Standards (OASIS) will announce a proposal for a new eXtensible Markup Language (XML) standard for application vulnerabilities.

The group, made up of Citadel Security Software Inc., GuardedNet Inc., NetContinuum Inc., SPI Dynamics Inc. and Teros Inc., is promoting the development of the Application Vulnerability Description Language (AVDL), which is intended to standardize information about application vulnerabilities, enabling different products to share vulnerability information in a heterogenous network environment, according to a statement released by the five companies.

The AVDL group submitted its idea to OASIS for study. In turn, OASIS has created a technical committee to develop an XML definition for exchanging information on the security vulnerabilities of applications exposed to networks.

A draft specification from the AVDL Technical Committee is scheduled for September, with a final specification due in December, according to OASIS.

If widely adopted, the AVDL standards will enable customers to deploy diverse "best of breed" security technology to protect their network without having to sacrifice integration and interoperability, according to Wes Wasson, chief security strategy officer at NetContinuum.

Though initially intended to foster interoperability among the products of the five sponsoring companies, AVDL has the potential to be adopted by additional product platforms and to move further up the development chain, according to Brian Cohen, CEO of SPI Dynamics.

AVDL backers hope that development platform vendors and OASIS members such as Microsoft Corp., BEA Systems Inc. and IBM Corp. will join the AVDL Technical Committee and help shape the development of the AVDL standard so that it can be easily integrated with their development environments, according to Cohen.

Asked about the potential of resistance from those large companies, or from companies that are wary of more standards, Wasson and Cohen said that demand from their customers was driving them to promote the AVDL standard.

"Customers are drowning in the complexity of the application security problem," Wasson said. "Our customers are driving this. They see it as a real business solution to real business problems."

Finally, the Information Security Systems Association (ISSA) is making what it calls a "historic announcement" at RSA. The group, an international non-profit organization made up of information security professionals and practitioners, will announce its intention to take over and complete development of the Generally Accepted Information Security Principles (GAISP).

The announcement is quite significant, according to Mike Rasmussen, vice president of marketing for ISSA and an analyst at Forrester Research Inc.

"What GAAP (Generally Accepted Accounting Principles) is for the accounting world, (GAISP) is trying to be for the security world," Rasmussen said.

Originally formulated as the Generally Accepted System Security Principles (GASSP) in response to Recommendation No. 1 of the 1990 U.S. National Research Council report, "Computers at Risk," the standards were managed by the International Information Security Foundation (IISF) and are based on other existing guidelines such as those created by the Organization for Economic Cooperation and Development, according to information provided by ISSA.

IISF published so-called "pervasive principles" in 1992 that provided high-level recommendations on information security standards, accountability and ethics to business executives. Despite updating those principles again in 2002, the GASSP effort was flagging, according to Rasmussen.

By taking over the project and renaming the standards to the GAISP, ISSA hopes to breathe new life into the project.

The ISSA hopes to finish specific management guidelines and tactics for CIOs (chief information officers) and CISOs (chief information security officers) that build on a set of pervasive principles. It will follow those with detailed principles that recommend activities for risk management and step-by-step instructions for IT staff.

In addition, ISSA will be working to bring the GAISP standards in line with ISO 17799 standards, which many companies are using to guide their security architectures, according to Rasmussen.

The GAISP project will be a massive undertaking, intended to provide security administrators with a single security framework that they can use to measure compliance with a wide range of international security standards and regulations, in addition to specific steps that can be followed to achieve and maintain compliance.

If successful, the GAISP project could help stem the confusion concerning security management, according to Rasmussen.

"Information security is becoming like OSHA," Rasmussen said, referring to the notoriously complicated rules of the U.S. Occupational Safety and Health Administration. "It's a management nightmare. These are practical standards for building and managing information security."

RSA will be the "formal kickoff" of the project, according to Rasmussen.

"We want to communicate a message to let people know that we are working," he said.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies