Collaboration Oriented ArchitectureCOA Position Paper

An Overview

Adrian SeccombeBoard of Management, Jericho Forum®

CISO & Snr Enterprise Information Architect, Eli Lilly

Questions at the end, please!

Apart from points of clarification.

Backgrounder

• Technically an Open Group Forum

• Founded by CISO’s of multinational companies in January 2004 to respond to…

De-Perimeterisation• Today: 42 Member Companies and growing• Mission

Act as a catalyst to accelerate the achievement of the collective vision, by:• Defining the problem space • Communicating the collective vision • Challenging constraints and creating an environment for innovation • Demonstrating the market • Influencing future products, services, and standards

Suppliers

Customers

Desired Future State

Standards and Solutions

StandardsDev

Customers

Suppliers

Police and Gov’tAgencies

SecurityForum

Work Types

NeedsPrinciplesStrategyPosition Papers

GuidelinesStandardsSolutions

White PapersPatternsUse Cases

Backgrounder

• The journey so far…• Defined the issue, and created noise around …

– We don’t apologise for the controversy!• Created the Commandments, there are 11!• Created a generic Roadmap• Trademarked: Jericho Forum• Created Inherently Secure Communications Paper• Published the COA Position Paper

Why the COA Position Paper?• We had defined the Problem…

• We had developed a set of “Principles” in the Commandments…

• We had created a roadmap (Though not rich with content)

• We realised we needed to provide more details around the Solution….

COA: The Papers Framework

• Introduction

• Problem

• Why Should I Care?

• Components of COA

• Recommended Solution/Response

• Conclusion

• The Way Forward

Introduction

Aim: To provide a guiding framework that enables Secure Information Sharing in a Collaborative environment.

Aligned to the Jericho ForumCommandments 4-8 pertaining to Surviving in a Hostile World Need for Trust Identity Management and Federation

Problem

Traditional approaches to architecting security solutions are aimed at securing organizational borders, and the network, reinforcing a ‘perimeterised’ perspective. This is contrary to the future business needs of most organisations.

A Lilly segway

• We are changing from a FIPCo to a FIPNet.– Fully Integrated Pharmaceutical Company– Fully Integrated Pharmaceutical Network

• Collaboration will be a core capability.

Why Should I care?

• De-perimeterisation is happening NOW!

• COA is the framework that will allow appropriately architected business-driven solutions to be developed and delivered.

• Adopting COA allows the added value of de-perimeterisation while mitigating the additional risks to your organizations.

Components of COA

Services- Federated Identity- Policy Management- Data/Information Management- Classification- Audit

Solution AttributesUsability/ManageabilityAvailabilityEfficiency/PerformanceEffectivenessAgility

An Architects’ View

Principles- Known parties- Assurance- Trust- Risk- Compliance- Legal, Regulatory, Contractual- Privacy

Technologies- End Point Security/Assurance- Secure Communications

- Secure Protocols-Secure Data/Information

- Content Monitoring- Content ProtectionProcesses

PeopleRiskInformationDevicesEnterprise

Secure!Reliable!Trustworth

y!

Recommended Solution/Response

• A section that describes how existing standards, protocols and frameworks should be used and supplemented with additional standards, tools, and services to deliver COA…

ITIL

TOGAF

COBIT

ISO 27001/2

SAML

SOA

Conclusion

• Implementing COA builds upon existing standards and practises to enable effective and secure collaboration

• COA provides a high level pattern to allow legacy applications to be re-architected to be collaboration oriented.

• It takes a different mindset, and new services, both in the cloud and around the data.

The way forward

• The COA position paper sketches the skeleton• We need to collectively refine / develop the

standards, tools and services in more detailed papers

• Many of which can, and should be taken up by the Security Forum and ultimately service providers

• Example : Inherently Secure Communications StandardTrust / Classification Framework….