I've spent the last couple of days adding ISO17799 and COBIT mappings to the controls catalog. If you check any of the controls you will now see the mapping details at the bottom. You can also search for ISO or COBIT references using the search function in the menu bar to return a list of controls if you want to do a reverse lookup!
In the coming week I will also generate a table that lists controls and mappings in a single table.
We've been meaning to do this for a while now, but it's taken some time, as it made sense to get the underlying controls into a database so we can easily add mappings in future and regenerate the catalog really fast. Now the control catalog is in the database we can start to consider some neat tricks with web services and client side queries, which would allow us to start thinking about browser based design tools.
If you have any thoughts on additional mappings, or ways we could develop in the coming months let us know.
We just started the discussion on secure development lifecycle. We would be very happy if you could post your experience in this field. Which expectations are realistic? Which activities paid back?
Please find a short summary of recent changes on the Open Security Architecture website:
-> We have just published a draft of the Cloud Computing pattern. This covers the issues you will face if you are looking to exploit the new wave Cloud Computing services. We would still welcome additional comments before the pattern is finally approved.
-> A secure development pattern is being started.
-> The new icon packs and templates have been uploaded which make the patterns clearer to understand and use.
-> We continue to work on the first release of the OSA threat catalog. Progress has been slow but we hope to have something ready for the first quarter of 2009.
Our membership and visitors continue to grow with a great representation across industry sectors and global geography. We'd really appreciate feedback on progress we have made, and further improvements you want to see. Write a sentence or two and send to This email address is being protected from spambots. You need JavaScript enabled to view it. to let us know!
I think we have an OSA first here, so if you have not signed up for the bulletin board yet then please do so and leave us some comments to help improve the quality. We'll post to the patterns section on the main site in the next few days.
I've been spending time researching the Cloud Computing pattern in the last week or so and I must say I am learning a lot. I've been a big fan of Nick Carr since I saw him speak about 3 years ago, and have long appreciated the possible financial benefits for large organizations of a utility model for computing. However I have the same feeling about some of the distributed technologies that are starting to spring up as I had when I first encountered the Internet back in '93. In other words I think we are in for a really big paradigm shift with a lot of innovation (and I'm not talking about Social networking!). Of course I could just be getting carried away with the hype but I think not, and this is why:
- Lots of bandwidth and always on connections mean it's finally realistic to distribute computing tasks.
- There are a whole bunch of smart newcomers who treat the Internet as their platform (rather than an OS plus bits like MS)
- The technology stack has matured to the point where the basic foundations are already in place and mainly available as Free and Open Source Software (OS, browser, programming languages, dev environments, content management, dbms, web protocols) making it cheap and easy to start building neat things on top... i.e. you don't need a massive budget and 100's of man years of effort to put your ideas into practice.
- On the client side the technologies are at a point where you can deliver a pretty rich user experience within a browser environment.
While there is the potential for some real security benefits, they are uncertain right now, and the compliance implications could be massive especially for larger organizations who have to worry about these kinds of things more. For this reason I think there will be a much faster adoption curve amongst SME's and Consumers. A lot of the security pieces of the jigsaw are just not in place yet. I found that when I went through the controls catalog for the pattern I am building there were many cases where I could not assign controls, or places where it was obvious there would be need for another service provider to step in and address a basic need.
Because of these unfulfilled needs I suspect we will see a number of start-ups in this space, who essentially provide Security as a Service for complex webs of providers, and give organizations a way of managing the risks. It will not be enough to simply get a SAS-70 or equivalent certification and consider the job done in anything other than the most simple situations. Relatively simple tasks like Identity Management become very interesting when you have a large number of cloud services interacting to fulfill a business process. How do you broker identity amongst providers and ensure that access rights are managed effectively? This and many other areas have yet to be resolved.