RSA: standards organisations share the stage

Three separate technology standards organisations will use this week's RSA Conference in San Francisco to make announcements on...

Three separate technology standards organisations will use this week's RSA Conference in San Francisco to make announcements on their latest initiatives, guidelines and working groups.

The highest profile development on the standards front comes from the Liberty Alliance Project, which is to release draft specifications for the next phase in its network identity architecture.

Simon Nicholson of Sun Microsystems, chair of the Liberty Alliance's business and marketing expert group, said the new draft specifications will "fill out the blueprint for building and deploying personalised identity-based web services".

In an announcement in March, the consortium aimed the release of two draft specifications in mid-2003: the Identity Web Services Framework and the Identity Services Interface Specifications.

Those specifications outline the components needed to build interoperable web services that protect user identity and the privacy of data that is exchanged.

The Liberty Alliance will also be touting the progress made since the July 2002 launch of Phase 1 of its architecture, the Identity Federation Framework. This provided standards for simplified sign-on and the linking of user accounts among businesses with established relationships.

Representatives from 18 "big name" companies will be on hand to demonstrate interoperability among systems based on Liberty Alliance specifications, said Nicholson.

Those services will range from projects that are in the "late beta" phase of testing to those that are in production, and they will highlight how the Liberty Alliance specifications can be used to make user sign-on easier and less complicated, he said.

Also at RSA, a group of application security suppliers affiliated with the Organisation for the Advancement of Structured Information Standards (Oasis) will announce a proposal for a new eXtensible Markup Language (XML) standard for application vulnerabilities.

The group, made up of Citadel Security Software, GuardedNet, NetContinuum, SPI Dynamics and Teros, is promoting the development of the Application Vulnerability Description Language (AVDL), which is intended to standardise information about application vulnerabilities, enabling different products to share vulnerability information in a heterogenous network environment.

The AVDL group submitted its idea to Oasis for study. In turn, the standards body has created a technical committee to develop an XML definition for exchanging information on the security vulnerabilities of applications exposed to networks.

A draft specification from the AVDL technical committee is scheduled for September, with a final specification due in December.

If widely adopted, the AVDL standards will enable customers to deploy diverse "best of breed" security technology to protect their network without having to sacrifice integration and interoperability, said Wes Wasson, chief security strategy officer at NetContinuum.

Though initially intended to foster interoperability among the products of the five sponsoring companies, AVDL has the potential to be adopted by additional product platforms and to move further up the development chain, said Brian Cohen, chief executive officer of SPI Dynamics.

AVDL backers hope that development platform suppliers and Oasis members such as Microsoft, BEA Systems and IBM will join the AVDL technical committee and help shape the development of the AVDL standard so that it can be easily integrated with their development environments, according to Cohen. 

The Information Security Systems Association (ISSA) is making what it calls a "historic announcement" at RSA. The group, an international non-profit organisation made up of information security professionals and practitioners, will announce its intention to take over and complete development of the Generally Accepted Information Security Principles (GAISP).

The announcement is quite significant, said Mike Rasmussen, vice-president of marketing for ISSA and an analyst at Forrester Research.

"What Generally Accepted Accounting Principles is for the accounting world, GAISP is trying to be for the security world," he said.

ISSA hopes to finish specific management guidelines and tactics for chief information officers that build on a set of pervasive principles. It will follow those with detailed principles that recommend activities for risk management and step-by-step instructions for IT staff.

In addition, ISSA will be working to bring the GAISP standards in line with ISO 17799 standards, which many companies are using to guide their security architectures, said Rasmussen.

The GAISP project will be a massive undertaking, intended to provide security administrators with a single security framework that they can use to measure compliance with a wide range of international security standards and regulations, in addition to specific steps that can be followed to achieve and maintain compliance.

If successful, the GAISP project could help stem the confusion concerning security management, said Rasmussen.

Read more on IT risk management