SlideShare une entreprise Scribd logo
1  sur  10
Télécharger pour lire hors ligne
Standards Effort Points to Automation Via Common Markup
Language for Improved IT Compliance, Security
Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open
Automated Compliance Expert Markup Language and how it can save companies time and
money.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group


Dana Gardner: Hi. This is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're
listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group
Conference in Austin, Texas, the week of July 18, 2011.

                   We’re going to examine the Open Automated Compliance Expert Markup
                   Language (O-ACEML), a new standard creation and effort that helps
                   enterprises automate security compliance across their systems in a consistent
                   and cost-saving manner.

                   O-ACEML helps to achieve compliance with applicable regulations but also
                   achieves major cost savings. From the compliance audit viewpoint, auditors
can carry out similarly consistent and more capable audits in less time.

Here to help us understand O-ACEML and managing automated security compliance issues and
how the standard is evolving are our guests. We’re here with Jim Hietala, Vice President of
Security at The Open Group. Welcome back, Jim.

Jim Hietala: Thanks, Dana. Glad to be with you.

Gardner: We’re also here with Shawn Mullen. He's a Power Software Security Architect at
IBM. Welcome to the show, Shawn.

Shawn Mullen: Thank you.

Gardner: Let’s start by looking at why this is an issue. Why do O-ACEML at all? I assume that
security being such a hot topic, as well as ways in which organizations grapple with the
regulations, and compliance issues are also very hot, this has now become an issue that needs
some standardization.

Let me throw this out to both of you. Why are we doing this at all and what are the problems that
we need to solve with O-ACEML?
Hietala: One of the things you've seen in last 10 or12 years, since the compliance regulations
have really come to the fore, is that the more regulation there is, more specific requirements are
                   put down, and the more challenging it is for organizations to manage. Their
                   IT infrastructure needs to be in compliance with whatever regulations impact
                   them, and the cost of doing so becomes a significant thing.

                   So, anything that could be done to help automate, to drive out cost, and
                   maybe make organizations more effective in complying with the regulations
                   that affect them -- whether it’s PCI, HIPAA, or whatever -- there's lot of
                   benefit to large IT organizations in doing that. That’s really what drove us to
                  look at adopting a standard in this area.

Gardner: Jim, just for those folks who are coming in as fresh, are we talking about IT security
equipment and the compliance around that, or is it about the process of how you do security, or
both? What are the boundaries around this effort and what it focuses on?

Manual process


Hietala: It’s both. It’s enabling the compliance of IT devices specifically around security
constraints and the security configuration settings and to some extent, the process. If you look at
how people did compliance or managed to compliance without a standard like this, without
automation, it tended to be a manual process of setting configuration settings and auditors
manually checking on settings. O-ACEML goes to the heart of trying to automate that process
and drive some cost out of an equation.

Gardner: Shawn Mullen, how do you see this in terms of the need? What are the trends or
environment that necessitate in this?

Mullen: I agree with Jim. This has been going on a while, and we’re seeing it on both classes of
customers. On the high-end, we would go from customer-to-customer and they would have their
                own hardening scripts, their own view of what should be hardened. It may
                conflict with what compliance organization wanted as far as the settings. This
                was a standard way of taking what the compliance organization wanted, and also
                it has an easy way to author it, to change it.

                 If your own corporate security requirements are more stringent, you can easily
                 change the ACEML configuration, so that is satisfies your more stringent
                 corporate compliance or security policy, as well as satisfying the regulatory
                compliance organization in an easy way to monitor it, to report, and see it.

In addition, on the low end, the small businesses don’t have the expertise to know how to
configure their systems. Quite frankly, they don’t want to be security experts. Here is an easy
way to print an XML file to harden their systems as it needs to be hardened to meet compliance
or just the regular good security practices.
Gardner: One of the things that's jumped out at me as I’ve looked into this, is the rapid
improvement in terms of a cost or return on investment (ROI), almost to the league of a no-
brainer category. Help me understand why is it so expensive and inefficient now, when it comes
to security equipment audits and regulatory compliance. What might this then therefore bring in
terms of improvement?

Mullen: One of the things that we're seeing in the industry is server consolidation. If you have
these hundreds, or in large organizations thousands, of systems and you have to manually
configure them, it becomes a very daunting task. Because of that, it's a one-time shot at doing
this, and then the monitoring is even more difficult. With ACEML, it's a way of authoring your
                              security policy as it meets compliance or for your own security
                              policy in pushing that out.

                              This allows you to have a single XML and push it onto
                              heterogeneous platforms. Everything is configured securely and
consistently and it gives you a very easy way to get the tooling to monitor those systems, so they
are configured correctly today. You're checking them weekly or daily to ensure that they remain
in that desired state.

Gardner: So it's important not only to automate, but be inclusive and comprehensive in the way
you do that or you are back to manual process at least for a significant portion, but that might
then not be at your compliance issues. Is that how it works?

Mullen: We had a very interesting presentation here at The Open Group Conference yesterday.
I’ll let Jim provide some of the details on that, but customers are finding the best way they can
lower their compliance or their cost of meeting compliance is through automation. If you can
automate any part of that compliance process, that’s going to save you time and money. If you
can get rid of the manual effort with automation, it greatly reduces your cost.

Gardner: Shawn, do we have any sense in the market what the current costs are, even for
something that was as well-known as Sarbanes-Oxley? How impressive, or unfortunately
intimidating, are some of these costs?

Cost of compliance

Mullen: There was a very good study yesterday. The average cost of an organization to be
compliant is $3 million. That's annual cost. What was also interesting was that the cost of being
non-compliant, as they called it, was $9 million.

Hietala: The figures that Shawn was referencing come out of the study by the Ponemon Institute.
Larry Ponemon does lots of studies around security risk compliance cost. He authors an annual
data breach study that's pretty widely quoted in the security industry that gets to the cost of data
breaches on average for companies.
In the numbers that were presented yesterday, he recently studied 46 very large companies,
looking at their cost to be in compliance with the relevant regulations. It's like $3.5 million a
year, and over $9 million for companies that weren't compliant, which suggests that companies
that are actually actively managing towards compliance are probably little more efficient than
those that aren't.

What O-ACEML has the opportunity to do for those companies that are in compliance is help
drive that $3.5 million down to something much less than that by automating and taking manual
labor out of process.

Gardner: So it's a seemingly very worthwhile effort. How do we get to where we are now, Jim,
with the standard and where do we need to go? What's the level of maturity with this?

Hietala: It's relatively new. It was just published 60 days ago by The Open Group. The actual
specification is on The Open Group website. It's downloadable, and we would encourage both,
system vendors and platform vendors, as well as folks in the security management space or
maybe the IT-GRC space, to check it out, take a look at it, and think about adopting it as a way to
exchange compliance configuration information with platforms.

We want to encourage adoption by as broad a set of vendors as we can, and we think that having
more adoption by the industry, will help make this more available so that end-users can take
advantage of it.

Gardner: Back to you Shawn. Now that we've determined that we're in the process of creating
this, perhaps, you could set the stage for how it works. What takes place with ACEML? People
are familiar with markup languages, but how does this now come to bear on this problem around
compliance, automation, and security?

Mullen: Let's take a single rule, and we'll use a simple case like the minimum password length.
In PCI the minimum password length, for example, is seven. Sarbanes-Oxley, which relies on
COBiT password length would be eight.

But with an O-ACEML XML, it's very easy to author a rule, and there are three segments to it.
The first segment is, it's very human understandable, where you would put something like
"password length equals seven." You can add a descriptive text with it, and that's all you have to
author.

Actionable command

When that is pushed down on to the platform or the system that's O-ACEML aware, it's able to
take that simple ACEML word or directive and map that into an actionable command relevant to
that system. When it finds the map into the actionable command ,it writes it back into the XML.
So that's completing the second phase of the rule. It executes that command either to implement
the setting or to check the setting.
The result of the command is then written back into the XML. So now the XML for particular
rule has the first part, the authored high-level directive as a compliance organization, how that
particular system mapped into a command, and the result of executing that command either in a
setting or checking format.

Now we have all of the artifacts we need to ensure that the system is configured correctly, and to
generate audit reports. So when the auditor comes in we can say, "This is exactly how any
particular system is configured and we know it to be consistent, because we can point to any
particular system, get the O-ACEML XML and see all the artifacts and generate reports from
that."

Gardner: Maybe to give a sense of how this works, we can also look at a before-and-after
scenario. Maybe you could describe how things are done now, the before or current status
approach or standard operating procedure, and then what would be the case after someone would
implement and mature O-ACEML implementation.

Mullen: There are similar tools to this, but they don't all operate exactly the same way. I'll use an
example of BigFix. If I had a particular system, they would offer a way for you to write your
own scripts. You would basically be doing what you would do at the end point, but you would be
doing it at the BigFix central console. You would write scripts to do the checking. You would be
doing all of this work for each of your different platforms, because everyone is a little bit
different.

Then you could use BigFix to push the scripts down. They would run, and hopefully you wrote
your scripts correctly. You would get results back. What we want to do with ACEML is when
you just put the high-level directive down to the system, it understands ACEML and it knows the
proper way to do the checking.

What's interesting about ACEML, and this is one of our differences from, for example, the
security content automation protocol (SCAP), is that instead of the vendor saying, "This is how
we do it. It has a repository of how the checking goes and everything like that," you let the end
point make the determination. The end point is aware of what OS it is and it's aware of what
version it is.

For example, with IBM UNIX, which is AIX, you would say "password check at this different
level." We've increased our password strength, we've done a lot of security enhancements around
that. If you push the ACEML to a newer level of AIX, it would do the checking slightly
differently. So, it really relies on the platform, the device itself, to understand ACEML and
understand how best to do its checking.

We see with small businesses and even some of the larger corporations that they're maintaining
their own scripts. They're doing everything manually. They're logging on to a system and running
some of those scripts. Or, they're not running scripts at all, but are manually making all of these
settings.
It's an extremely long and burdensome process,when you start considering that there are
hundreds of thousands of these systems. There are different OSs. You have to find experts for
your Linux systems or your HP-UX or AIX. You have to have all those different talents and
skills in these different areas, and again the process is quite lengthy.

Gardner: Jim Hietala, it sounds like we are focusing on servers to begin with, but I imagine that
this could be extended to network devices, other endpoints, other infrastructure. What's the
potential universe of applicability here?

Different classes


Hietala: The way to think about it is the universe of IT devices that are in scope for these
various compliance regulations. If you think about PCI DSS, it defines pretty tightly what your
cardholder data environment consists of. In terms of O-ACEML, it could be networking devices,
servers, storage equipment, or any sort of IT device. Broadly speaking, it could apply to lots of
different classes of computing devices.

Gardner: Back to you Shawn,. You mentioned the AIX environment. Could you explain a
beginning approach that you’ve had with IBM Compliance Expert, or ICE, that might give us a
clue as to how well this could work, when applied even more broadly? How does that heritage in
ICE develop, and what would that tell us about what we could expect with O-ACEML?

Mullen: We’ve had ICE and this AIX Compliance Expert, using the XML, for a number of years
now. It's been broadly used by a lot of our customers, not only to secure AIX but to secure the
virtualization environment in a particular a virtual I/O server. So we use it for that.

One of the things that ACEML brings is that it has some of the lessons we learned from doing
our own proprietary XML. It also brings some lessons we learned when looking at other XML
for compliance like XCCDF. One of the things we put in there was a remediation element.

For example, the PCI says that your password length should be seven. COBiT says your
password length should be eight. It has the XML, so you can blend multiple compliance
requirements with a single policy, choosing the more secure setting, so that both compliance
organizations, or other three compliance organizations, gets set properly to meet all of those, and
apply it to a singular system.

One of the things that we're hoping vendors will gravitate toward is the ability to have a central
console controlling their IT environment or configuring and monitoring their IT environment. It
just has to push out a single XML file. It doesn’t have to push out a special XML for Linux
versus AIX versus a network device. It can push out that ACEML file to all of the devices. It's a
singular descriptive XML, and each device, in turn, knows how to map it to its own particular
platform in security configuring.
Gardner: Jim Hietala, it sounds as if the low-hanging fruit here would be the compliance and
automation benefit, but it also sounds as if this is comprehensive. It's targeted at a very large set
of the devices and equipment in the IT infrastructure. This could become a way of propagating
new security policies, protocols, approaches, even standards, down the line. Is that part of the
vision here -- to be able to offer a means by which an automated propagation of future security
changes could easily take place?

Hietala: Absolutely, and it goes beyond just the compliance regulations that are inflicted on us or
put on us by government organizations to defining a best practice instead of security policies in
the organization. Then, using this as a mechanism to push those out to your environment and to
ensure that they are being followed and implemented on all the devices in their IT environment.

So, it definitely goes beyond just managing compliance to these external regulations, but to doing
a better job of implementing the ideal security configuration settings across your environment.

Gardner: And because this is being done in an open environment like The Open Group, and
because it's inclusive of any folks or vendors or suppliers who want to take part, it sounds as if
this could also cross the chasm between an enterprise, IT set, and a consumer or mobile or
external third-party provider set.

Is it also a possibility that we’re going beyond heterogeneity, when it comes to different
platforms, but perhaps crossing boundaries into different segments of IT and what we're seeing
with the “consumerization” of IT now? I'll ask this to either of you or both of you.

Moving to the cloud

Hietala: I'll make a quick comment and then turn it over to Shawn. Definitely, if you think
about how this sort of a standard might apply towards services that are built in somebody’s
cloud, you could see using this as a way to both set configuration settings and check on the status
of configuration settings and instances of machines that are running in a cloud environment.
Shawn, maybe you want to expand on that?

Mullen: It's interesting that you brought this up, because this is the exact conversation we had
earlier today in one of the plenary sessions. They were talking about moving your IT out into the
cloud. One of the issues, aside from just the security, was how do you prove that you are meeting
these compliance requirements?

ACEML is a way to reach into the cloud to find your particular system and bring back a report
that you can present to your auditor. Even though you don’t own the system --it's not in the data
center here in the next office, it's off in the cloud somewhere -- you can bring back all the
artifacts necessary to prove to the auditor that you are meeting the regulatory requirements.

Gardner: Jim, how do folks take further steps to either gather more information? Obviously, this
would probably of interest to enterprises as well as the suppliers, vendors for professional
services organizations. What are the next steps? Where can they go to get some information?
What should they do to become involved?

Hietala: The standard specification is up on our website. You can go to the "Publications" tab on
our website, and do a search for O-ACEML, and you should find the actual technical standard
document. Then, you can get involved directly in the security forum by joining The Open
Group . As the standard evolves, and as we do more with it, we certainly want more members
involved in helping to guide the progress of it over time.

Gardner: Thoughts from you, Shawn, on that same getting involved question?

Mullen: That’s a perfect way to start. We do want to invite different compliance organization,
everybody from the electrical power grid -- they have their own view of security -- to ISO, to
payment card industry. For the electrical power grid standard, for example -- and ISO is the same
way -- what ACEML helps them with is they don’t need to understand how Linux does it, how
AIX does it. They don’t need to have that deep understanding.

In fact, the way ISO describes it in their PDF around password settings, it basically says, use
good password settings, and it doesn’t go into any depth beyond that. The way we architected
and designed O-ACEML is that you can just say, "I want good password settings," and it will
default to what we decided. What we focused in on collectively as an international standard in
The Open Group was, that good password hygiene means you change your password every six
months. It should at least carry this many characters, there should be a non-alpha/numeric.

It removes the burden of these different compliance groups from being security experts and it
let’s them just use ACEML and the default settings that The Open Group came up with.

We want to reach out to those groups and show them the benefits of publishing some of their
security standards in O-ACEML. Beyond that, we'll work with them to have that standard up,
and hopefully they can publish it on their website, or maybe we can publish it on The Open
Group website.

Next milestones

Gardner: Well, great. We’ve been learning more about the Open Automated Compliance
Expert Markup Language, more commonly known as O-ACEML. And we’ve been seeing how it
can help assure compliance along with some applicable regulations across different types of
equipment, but has the opportunity to perhaps provide more security across different domains, be
that cloud or on-premises or even partner networks. while also achieving major cost savings.
We’ve been learning how to get to started on this and what the maturity timeline is.

Jim Hietala, what would be the next milestone? What should people expect next in terms of how
this is being rolled out?
Hietala: You'll see more from us in terms of adoption of the standard. We’re looking already at
case studies and so forth to really describe in terms that everyone can understand what benefits
organizations are seeing from using O-ACEML. Given the environment we’re in today, we’re
seeing about security breaches and hacktivism and so forth everyday in the newspapers.

I think we can expect to see more regulation and more frequent revisions of regulations and
standards affecting IT organizations and their security, which really makes it imperative for
engineers in IT environment in such a way that you can accommodate those changes, as they are
brought to your organization, do so in an effective way, and at the least cost. Those are really the
kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations
to using it.

Gardner: Shawn, one more question to you as a follow-up to what Jim said, not only that should
we expect more regulations, but we’ll see them coming from different governments, different
strata of governments, so state, local, federal perhaps. For multinational organization, this could
be a very complex undertaking, so I'm curious as to whether O-ACEML could also help when it
comes to managing multiple regulations across multiple jurisdictions for larger organizations.

Mullen: That was the goal when we came up with O-ACEML. Anybody could author it, and
again, if a single system fell under the purview of multiple compliance requirements, we could
plan that together and that system would be a multiple one.

It’s an international standard, we want it to be used by multiple compliance organizations. And
compliance is a good thing. It’s just good IT governance. It will save companies money in the
long run, as we saw with these statistics. The goal is to lower the cost of being compliant, so you
get good IT governance, just with a lower cost.

Gardner: Thanks. This sponsored podcast is coming to you in conjunction with The Open
Group Conference in Austin, Texas, in the week of July 18, 2011. Thanks to both our guests. Jim
Hietala, the Vice President of Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And also Shawn Mullen, Power Software Security Architect at IBM. Thank you,
Shawn.

Mullen: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for
listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group

Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open
Automated Compliance Expert Markup Language and how it can save companies time and
money. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.
You man also be interested in:
 •    Enterprise Architects Increasingly Leverage Advanced TOGAF9 for Innovation, Market
      Response, and Governance Benefits
 •    Open Group Cloud Panel Forecasts Cloud s Spurring Useful Transition Phase for
      Enterprise Architecture
 •    The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits
      for Enterprises
 •    Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure
      IT Products in Global Supply Chains

Contenu connexe

En vedette

The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...Brian Solis
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016Andrew Chen
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 

En vedette (6)

The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...The impact of innovation on travel and tourism industries (World Travel Marke...
The impact of innovation on travel and tourism industries (World Travel Marke...
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)
 
What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
 

Similaire à Standards Effort Points to Automation Via Common Markup Language for Improved IT Compliance, Security

Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDana Gardner
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Dana Gardner
 
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...Hannah Flynn
 
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...Aggregage
 
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...Dana Gardner
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategyMaarten BOONEN
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft CorpAntoinette Williams
 
Glen alleman agile 04 ev+agile=success
Glen alleman agile 04 ev+agile=successGlen alleman agile 04 ev+agile=success
Glen alleman agile 04 ev+agile=successGlen Alleman
 
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docxvickeryr87
 
Class,Im providing a recently example of a critical analysis wr.docx
Class,Im providing a recently example of a critical analysis wr.docxClass,Im providing a recently example of a critical analysis wr.docx
Class,Im providing a recently example of a critical analysis wr.docxclarebernice
 
Learn How to Maximize Your ServiceNow Investment
Learn How to Maximize Your ServiceNow InvestmentLearn How to Maximize Your ServiceNow Investment
Learn How to Maximize Your ServiceNow InvestmentStave
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 

Similaire à Standards Effort Points to Automation Via Common Markup Language for Improved IT Compliance, Security (20)

Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
 
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
 
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
Dashboards that Set Your App Apart: 5 Key Considerations for Top-Notch Produc...
 
Abb e guide3
Abb e guide3Abb e guide3
Abb e guide3
 
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
Focus on Data, Risk Control, and Predictive Analysis Drives New Era of Cloud-...
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft Corp
 
Glen alleman agile 04 ev+agile=success
Glen alleman agile 04 ev+agile=successGlen alleman agile 04 ev+agile=success
Glen alleman agile 04 ev+agile=success
 
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
 
Class,Im providing a recently example of a critical analysis wr.docx
Class,Im providing a recently example of a critical analysis wr.docxClass,Im providing a recently example of a critical analysis wr.docx
Class,Im providing a recently example of a critical analysis wr.docx
 
Top 10 Tips
Top 10 TipsTop 10 Tips
Top 10 Tips
 
Learn How to Maximize Your ServiceNow Investment
Learn How to Maximize Your ServiceNow InvestmentLearn How to Maximize Your ServiceNow Investment
Learn How to Maximize Your ServiceNow Investment
 
Open #iotmark certification mark
Open #iotmark certification markOpen #iotmark certification mark
Open #iotmark certification mark
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdf
 

Dernier

Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Marina Costa
 
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking MenDelhi Call girls
 
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfJORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfArturo Pacheco Alvarez
 
08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking MenDelhi Call girls
 
ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024Brian Slack
 
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Eticketing.co
 
大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改
大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改
大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改atducpo
 
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...baharayali
 
Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...
Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...
Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...Eticketing.co
 
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxSlovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxWorld Wide Tickets And Hospitality
 
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...World Wide Tickets And Hospitality
 
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeTechnical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeOptics-Trade
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service  🦺CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service  🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺anilsa9823
 
Tableaux 9ème étape circuit fédéral 2024
Tableaux 9ème étape circuit fédéral 2024Tableaux 9ème étape circuit fédéral 2024
Tableaux 9ème étape circuit fédéral 2024HechemLaameri
 
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual serviceanilsa9823
 
08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking Men08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking MenDelhi Call girls
 
9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In Ghazipur9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In GhazipurGenuineGirls
 
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In  {Delhi} Cr Park ₹5.5k Cash Payment With Room De...🔝|97111༒99012🔝 Call Girls In  {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...Diya Sharma
 

Dernier (20)

Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
 
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
 
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfJORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
 
08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men
 
ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024
 
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
 
大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改
大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改
大学假文凭《原版英国Imperial文凭》帝国理工学院毕业证制作成绩单修改
 
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
 
Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...
Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...
Italy vs Albania Tickets: Italy's Quest for Euro Cup Germany History, Defendi...
 
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxSlovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
 
Call Girls Service Noida Extension @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Noida Extension @9999965857 Delhi 🫦 No Advance  VVIP 🍎 SER...Call Girls Service Noida Extension @9999965857 Delhi 🫦 No Advance  VVIP 🍎 SER...
Call Girls Service Noida Extension @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
 
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
 
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeTechnical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service  🦺CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service  🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
 
Tableaux 9ème étape circuit fédéral 2024
Tableaux 9ème étape circuit fédéral 2024Tableaux 9ème étape circuit fédéral 2024
Tableaux 9ème étape circuit fédéral 2024
 
Call Girls In RK Puram 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In RK Puram 📱  9999965857  🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In RK Puram 📱  9999965857  🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In RK Puram 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
 
08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking Men08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking Men
 
9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In Ghazipur9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In Ghazipur
 
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In  {Delhi} Cr Park ₹5.5k Cash Payment With Room De...🔝|97111༒99012🔝 Call Girls In  {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
 

Standards Effort Points to Automation Via Common Markup Language for Improved IT Compliance, Security

  • 1. Standards Effort Points to Automation Via Common Markup Language for Improved IT Compliance, Security Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open Automated Compliance Expert Markup Language and how it can save companies time and money. Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group Dana Gardner: Hi. This is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011. We’re going to examine the Open Automated Compliance Expert Markup Language (O-ACEML), a new standard creation and effort that helps enterprises automate security compliance across their systems in a consistent and cost-saving manner. O-ACEML helps to achieve compliance with applicable regulations but also achieves major cost savings. From the compliance audit viewpoint, auditors can carry out similarly consistent and more capable audits in less time. Here to help us understand O-ACEML and managing automated security compliance issues and how the standard is evolving are our guests. We’re here with Jim Hietala, Vice President of Security at The Open Group. Welcome back, Jim. Jim Hietala: Thanks, Dana. Glad to be with you. Gardner: We’re also here with Shawn Mullen. He's a Power Software Security Architect at IBM. Welcome to the show, Shawn. Shawn Mullen: Thank you. Gardner: Let’s start by looking at why this is an issue. Why do O-ACEML at all? I assume that security being such a hot topic, as well as ways in which organizations grapple with the regulations, and compliance issues are also very hot, this has now become an issue that needs some standardization. Let me throw this out to both of you. Why are we doing this at all and what are the problems that we need to solve with O-ACEML?
  • 2. Hietala: One of the things you've seen in last 10 or12 years, since the compliance regulations have really come to the fore, is that the more regulation there is, more specific requirements are put down, and the more challenging it is for organizations to manage. Their IT infrastructure needs to be in compliance with whatever regulations impact them, and the cost of doing so becomes a significant thing. So, anything that could be done to help automate, to drive out cost, and maybe make organizations more effective in complying with the regulations that affect them -- whether it’s PCI, HIPAA, or whatever -- there's lot of benefit to large IT organizations in doing that. That’s really what drove us to look at adopting a standard in this area. Gardner: Jim, just for those folks who are coming in as fresh, are we talking about IT security equipment and the compliance around that, or is it about the process of how you do security, or both? What are the boundaries around this effort and what it focuses on? Manual process Hietala: It’s both. It’s enabling the compliance of IT devices specifically around security constraints and the security configuration settings and to some extent, the process. If you look at how people did compliance or managed to compliance without a standard like this, without automation, it tended to be a manual process of setting configuration settings and auditors manually checking on settings. O-ACEML goes to the heart of trying to automate that process and drive some cost out of an equation. Gardner: Shawn Mullen, how do you see this in terms of the need? What are the trends or environment that necessitate in this? Mullen: I agree with Jim. This has been going on a while, and we’re seeing it on both classes of customers. On the high-end, we would go from customer-to-customer and they would have their own hardening scripts, their own view of what should be hardened. It may conflict with what compliance organization wanted as far as the settings. This was a standard way of taking what the compliance organization wanted, and also it has an easy way to author it, to change it. If your own corporate security requirements are more stringent, you can easily change the ACEML configuration, so that is satisfies your more stringent corporate compliance or security policy, as well as satisfying the regulatory compliance organization in an easy way to monitor it, to report, and see it. In addition, on the low end, the small businesses don’t have the expertise to know how to configure their systems. Quite frankly, they don’t want to be security experts. Here is an easy way to print an XML file to harden their systems as it needs to be hardened to meet compliance or just the regular good security practices.
  • 3. Gardner: One of the things that's jumped out at me as I’ve looked into this, is the rapid improvement in terms of a cost or return on investment (ROI), almost to the league of a no- brainer category. Help me understand why is it so expensive and inefficient now, when it comes to security equipment audits and regulatory compliance. What might this then therefore bring in terms of improvement? Mullen: One of the things that we're seeing in the industry is server consolidation. If you have these hundreds, or in large organizations thousands, of systems and you have to manually configure them, it becomes a very daunting task. Because of that, it's a one-time shot at doing this, and then the monitoring is even more difficult. With ACEML, it's a way of authoring your security policy as it meets compliance or for your own security policy in pushing that out. This allows you to have a single XML and push it onto heterogeneous platforms. Everything is configured securely and consistently and it gives you a very easy way to get the tooling to monitor those systems, so they are configured correctly today. You're checking them weekly or daily to ensure that they remain in that desired state. Gardner: So it's important not only to automate, but be inclusive and comprehensive in the way you do that or you are back to manual process at least for a significant portion, but that might then not be at your compliance issues. Is that how it works? Mullen: We had a very interesting presentation here at The Open Group Conference yesterday. I’ll let Jim provide some of the details on that, but customers are finding the best way they can lower their compliance or their cost of meeting compliance is through automation. If you can automate any part of that compliance process, that’s going to save you time and money. If you can get rid of the manual effort with automation, it greatly reduces your cost. Gardner: Shawn, do we have any sense in the market what the current costs are, even for something that was as well-known as Sarbanes-Oxley? How impressive, or unfortunately intimidating, are some of these costs? Cost of compliance Mullen: There was a very good study yesterday. The average cost of an organization to be compliant is $3 million. That's annual cost. What was also interesting was that the cost of being non-compliant, as they called it, was $9 million. Hietala: The figures that Shawn was referencing come out of the study by the Ponemon Institute. Larry Ponemon does lots of studies around security risk compliance cost. He authors an annual data breach study that's pretty widely quoted in the security industry that gets to the cost of data breaches on average for companies.
  • 4. In the numbers that were presented yesterday, he recently studied 46 very large companies, looking at their cost to be in compliance with the relevant regulations. It's like $3.5 million a year, and over $9 million for companies that weren't compliant, which suggests that companies that are actually actively managing towards compliance are probably little more efficient than those that aren't. What O-ACEML has the opportunity to do for those companies that are in compliance is help drive that $3.5 million down to something much less than that by automating and taking manual labor out of process. Gardner: So it's a seemingly very worthwhile effort. How do we get to where we are now, Jim, with the standard and where do we need to go? What's the level of maturity with this? Hietala: It's relatively new. It was just published 60 days ago by The Open Group. The actual specification is on The Open Group website. It's downloadable, and we would encourage both, system vendors and platform vendors, as well as folks in the security management space or maybe the IT-GRC space, to check it out, take a look at it, and think about adopting it as a way to exchange compliance configuration information with platforms. We want to encourage adoption by as broad a set of vendors as we can, and we think that having more adoption by the industry, will help make this more available so that end-users can take advantage of it. Gardner: Back to you Shawn. Now that we've determined that we're in the process of creating this, perhaps, you could set the stage for how it works. What takes place with ACEML? People are familiar with markup languages, but how does this now come to bear on this problem around compliance, automation, and security? Mullen: Let's take a single rule, and we'll use a simple case like the minimum password length. In PCI the minimum password length, for example, is seven. Sarbanes-Oxley, which relies on COBiT password length would be eight. But with an O-ACEML XML, it's very easy to author a rule, and there are three segments to it. The first segment is, it's very human understandable, where you would put something like "password length equals seven." You can add a descriptive text with it, and that's all you have to author. Actionable command When that is pushed down on to the platform or the system that's O-ACEML aware, it's able to take that simple ACEML word or directive and map that into an actionable command relevant to that system. When it finds the map into the actionable command ,it writes it back into the XML. So that's completing the second phase of the rule. It executes that command either to implement the setting or to check the setting.
  • 5. The result of the command is then written back into the XML. So now the XML for particular rule has the first part, the authored high-level directive as a compliance organization, how that particular system mapped into a command, and the result of executing that command either in a setting or checking format. Now we have all of the artifacts we need to ensure that the system is configured correctly, and to generate audit reports. So when the auditor comes in we can say, "This is exactly how any particular system is configured and we know it to be consistent, because we can point to any particular system, get the O-ACEML XML and see all the artifacts and generate reports from that." Gardner: Maybe to give a sense of how this works, we can also look at a before-and-after scenario. Maybe you could describe how things are done now, the before or current status approach or standard operating procedure, and then what would be the case after someone would implement and mature O-ACEML implementation. Mullen: There are similar tools to this, but they don't all operate exactly the same way. I'll use an example of BigFix. If I had a particular system, they would offer a way for you to write your own scripts. You would basically be doing what you would do at the end point, but you would be doing it at the BigFix central console. You would write scripts to do the checking. You would be doing all of this work for each of your different platforms, because everyone is a little bit different. Then you could use BigFix to push the scripts down. They would run, and hopefully you wrote your scripts correctly. You would get results back. What we want to do with ACEML is when you just put the high-level directive down to the system, it understands ACEML and it knows the proper way to do the checking. What's interesting about ACEML, and this is one of our differences from, for example, the security content automation protocol (SCAP), is that instead of the vendor saying, "This is how we do it. It has a repository of how the checking goes and everything like that," you let the end point make the determination. The end point is aware of what OS it is and it's aware of what version it is. For example, with IBM UNIX, which is AIX, you would say "password check at this different level." We've increased our password strength, we've done a lot of security enhancements around that. If you push the ACEML to a newer level of AIX, it would do the checking slightly differently. So, it really relies on the platform, the device itself, to understand ACEML and understand how best to do its checking. We see with small businesses and even some of the larger corporations that they're maintaining their own scripts. They're doing everything manually. They're logging on to a system and running some of those scripts. Or, they're not running scripts at all, but are manually making all of these settings.
  • 6. It's an extremely long and burdensome process,when you start considering that there are hundreds of thousands of these systems. There are different OSs. You have to find experts for your Linux systems or your HP-UX or AIX. You have to have all those different talents and skills in these different areas, and again the process is quite lengthy. Gardner: Jim Hietala, it sounds like we are focusing on servers to begin with, but I imagine that this could be extended to network devices, other endpoints, other infrastructure. What's the potential universe of applicability here? Different classes Hietala: The way to think about it is the universe of IT devices that are in scope for these various compliance regulations. If you think about PCI DSS, it defines pretty tightly what your cardholder data environment consists of. In terms of O-ACEML, it could be networking devices, servers, storage equipment, or any sort of IT device. Broadly speaking, it could apply to lots of different classes of computing devices. Gardner: Back to you Shawn,. You mentioned the AIX environment. Could you explain a beginning approach that you’ve had with IBM Compliance Expert, or ICE, that might give us a clue as to how well this could work, when applied even more broadly? How does that heritage in ICE develop, and what would that tell us about what we could expect with O-ACEML? Mullen: We’ve had ICE and this AIX Compliance Expert, using the XML, for a number of years now. It's been broadly used by a lot of our customers, not only to secure AIX but to secure the virtualization environment in a particular a virtual I/O server. So we use it for that. One of the things that ACEML brings is that it has some of the lessons we learned from doing our own proprietary XML. It also brings some lessons we learned when looking at other XML for compliance like XCCDF. One of the things we put in there was a remediation element. For example, the PCI says that your password length should be seven. COBiT says your password length should be eight. It has the XML, so you can blend multiple compliance requirements with a single policy, choosing the more secure setting, so that both compliance organizations, or other three compliance organizations, gets set properly to meet all of those, and apply it to a singular system. One of the things that we're hoping vendors will gravitate toward is the ability to have a central console controlling their IT environment or configuring and monitoring their IT environment. It just has to push out a single XML file. It doesn’t have to push out a special XML for Linux versus AIX versus a network device. It can push out that ACEML file to all of the devices. It's a singular descriptive XML, and each device, in turn, knows how to map it to its own particular platform in security configuring.
  • 7. Gardner: Jim Hietala, it sounds as if the low-hanging fruit here would be the compliance and automation benefit, but it also sounds as if this is comprehensive. It's targeted at a very large set of the devices and equipment in the IT infrastructure. This could become a way of propagating new security policies, protocols, approaches, even standards, down the line. Is that part of the vision here -- to be able to offer a means by which an automated propagation of future security changes could easily take place? Hietala: Absolutely, and it goes beyond just the compliance regulations that are inflicted on us or put on us by government organizations to defining a best practice instead of security policies in the organization. Then, using this as a mechanism to push those out to your environment and to ensure that they are being followed and implemented on all the devices in their IT environment. So, it definitely goes beyond just managing compliance to these external regulations, but to doing a better job of implementing the ideal security configuration settings across your environment. Gardner: And because this is being done in an open environment like The Open Group, and because it's inclusive of any folks or vendors or suppliers who want to take part, it sounds as if this could also cross the chasm between an enterprise, IT set, and a consumer or mobile or external third-party provider set. Is it also a possibility that we’re going beyond heterogeneity, when it comes to different platforms, but perhaps crossing boundaries into different segments of IT and what we're seeing with the “consumerization” of IT now? I'll ask this to either of you or both of you. Moving to the cloud Hietala: I'll make a quick comment and then turn it over to Shawn. Definitely, if you think about how this sort of a standard might apply towards services that are built in somebody’s cloud, you could see using this as a way to both set configuration settings and check on the status of configuration settings and instances of machines that are running in a cloud environment. Shawn, maybe you want to expand on that? Mullen: It's interesting that you brought this up, because this is the exact conversation we had earlier today in one of the plenary sessions. They were talking about moving your IT out into the cloud. One of the issues, aside from just the security, was how do you prove that you are meeting these compliance requirements? ACEML is a way to reach into the cloud to find your particular system and bring back a report that you can present to your auditor. Even though you don’t own the system --it's not in the data center here in the next office, it's off in the cloud somewhere -- you can bring back all the artifacts necessary to prove to the auditor that you are meeting the regulatory requirements. Gardner: Jim, how do folks take further steps to either gather more information? Obviously, this would probably of interest to enterprises as well as the suppliers, vendors for professional
  • 8. services organizations. What are the next steps? Where can they go to get some information? What should they do to become involved? Hietala: The standard specification is up on our website. You can go to the "Publications" tab on our website, and do a search for O-ACEML, and you should find the actual technical standard document. Then, you can get involved directly in the security forum by joining The Open Group . As the standard evolves, and as we do more with it, we certainly want more members involved in helping to guide the progress of it over time. Gardner: Thoughts from you, Shawn, on that same getting involved question? Mullen: That’s a perfect way to start. We do want to invite different compliance organization, everybody from the electrical power grid -- they have their own view of security -- to ISO, to payment card industry. For the electrical power grid standard, for example -- and ISO is the same way -- what ACEML helps them with is they don’t need to understand how Linux does it, how AIX does it. They don’t need to have that deep understanding. In fact, the way ISO describes it in their PDF around password settings, it basically says, use good password settings, and it doesn’t go into any depth beyond that. The way we architected and designed O-ACEML is that you can just say, "I want good password settings," and it will default to what we decided. What we focused in on collectively as an international standard in The Open Group was, that good password hygiene means you change your password every six months. It should at least carry this many characters, there should be a non-alpha/numeric. It removes the burden of these different compliance groups from being security experts and it let’s them just use ACEML and the default settings that The Open Group came up with. We want to reach out to those groups and show them the benefits of publishing some of their security standards in O-ACEML. Beyond that, we'll work with them to have that standard up, and hopefully they can publish it on their website, or maybe we can publish it on The Open Group website. Next milestones Gardner: Well, great. We’ve been learning more about the Open Automated Compliance Expert Markup Language, more commonly known as O-ACEML. And we’ve been seeing how it can help assure compliance along with some applicable regulations across different types of equipment, but has the opportunity to perhaps provide more security across different domains, be that cloud or on-premises or even partner networks. while also achieving major cost savings. We’ve been learning how to get to started on this and what the maturity timeline is. Jim Hietala, what would be the next milestone? What should people expect next in terms of how this is being rolled out?
  • 9. Hietala: You'll see more from us in terms of adoption of the standard. We’re looking already at case studies and so forth to really describe in terms that everyone can understand what benefits organizations are seeing from using O-ACEML. Given the environment we’re in today, we’re seeing about security breaches and hacktivism and so forth everyday in the newspapers. I think we can expect to see more regulation and more frequent revisions of regulations and standards affecting IT organizations and their security, which really makes it imperative for engineers in IT environment in such a way that you can accommodate those changes, as they are brought to your organization, do so in an effective way, and at the least cost. Those are really the kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations to using it. Gardner: Shawn, one more question to you as a follow-up to what Jim said, not only that should we expect more regulations, but we’ll see them coming from different governments, different strata of governments, so state, local, federal perhaps. For multinational organization, this could be a very complex undertaking, so I'm curious as to whether O-ACEML could also help when it comes to managing multiple regulations across multiple jurisdictions for larger organizations. Mullen: That was the goal when we came up with O-ACEML. Anybody could author it, and again, if a single system fell under the purview of multiple compliance requirements, we could plan that together and that system would be a multiple one. It’s an international standard, we want it to be used by multiple compliance organizations. And compliance is a good thing. It’s just good IT governance. It will save companies money in the long run, as we saw with these statistics. The goal is to lower the cost of being compliant, so you get good IT governance, just with a lower cost. Gardner: Thanks. This sponsored podcast is coming to you in conjunction with The Open Group Conference in Austin, Texas, in the week of July 18, 2011. Thanks to both our guests. Jim Hietala, the Vice President of Security at The Open Group. Thank you, Jim. Hietala: Thank you, Dana. Gardner: And also Shawn Mullen, Power Software Security Architect at IBM. Thank you, Shawn. Mullen: Thank you, Dana. Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time. Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open Automated Compliance Expert Markup Language and how it can save companies time and money. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.
  • 10. You man also be interested in: • Enterprise Architects Increasingly Leverage Advanced TOGAF9 for Innovation, Market Response, and Governance Benefits • Open Group Cloud Panel Forecasts Cloud s Spurring Useful Transition Phase for Enterprise Architecture • The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits for Enterprises • Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure IT Products in Global Supply Chains