Program Agenda
*subject to change
Wednesday, 30 September | Identity Management Program (Day 2)
|
|
08:30 | Coffee & Registration in the Green Auditorium Foyer |
9:15 |
KEYNOTE SESSION: Addressing Privacy, Trust, Accountability Session Chair: Don Thibeau, Executive Director, OpenID Foundation
It is easy to lose track of the human values that technical systems affect, including privacy, fair treatement, personal security, and others. Failing to understand and embrace these values will undermine public acceptance of any program or system - especially when sensitive information is involved or when a system transfers power away from the individual. This [talk/session] will explore how identity systems, databases, and other technologies are really all about people. Implementing the government’s e-authentication trust model requires a relying party application to rely on assertions regarding identity and perhaps associated attributes at known levels of assurance. Even after years of asserting this approach, few Agencies are willing to trust an external entity’s assertion of identity. In part, this is due to a conservative tendency for an application owner to want to control all elements of an electronic transaction, historically by issuing userID/password pairs to users. But another reason is that agency application owners, and often agency security and executive leadership, do not believe that identity credentials issued by outside entities comply with their security needs. An even further impediment, an additional degree of separation, is introduced by the concept of comparability of trust. In his talk, Peter will address the issues that continue to impede widespread adoption of federated identity authentication by federal relying party applications. Referencing a number of success stories enables him to suggest strategies for moving past this particular impediment. |
10:30 |
Break in the Green Auditorium Foyer |
10:45
|
ADDRESSING CITIZEN PRIVACY, TRUST, ACCOUNTABILITY Session Chair: Don Schmidt, Principal Architect, IDA Technical Strategy Group, Microsoft Corporation
Practical privacy management does not yet have the structured, architectural underpinnings enjoyed by security technology. This session will describe and illustrate original work by the International Security, Trust and Privacy Alliance (ISTPA) that provides a reference model for an operational implementation of privacy management throughout the life cycle of personal information. The ISTPA Privacy Management Reference Model introduces 10 implementable Services around which designers can architect and build privacy management systems. By name, the Services are Agreement, Control, Validation, Certification, Audit, Enforcement, Interaction, Usage, Agent, and Access. Each Service has a defined set of detailed functions, yet is interdependent and can be invoked flexibly within a system. Security can be applied to each Service as well as to the underlying IT infrastructure. The Reference Model provides a new tool for privacy practitioners to apply use cases in the design of privacy management architectures, system designs, protocols, specifications, and operational implementations. |
12:00 | Lunch in the West Square Cafeteria |
1:00 | UNDERSTANDING THE CLOUD & ITS SECURITY RISKS Session Chair: Michael McIntosh, Senior Technical Staff Member, IBM
The present trends in cloud computing seem to be towards using hybrid clouds as deployment models for corporate data centers and making use of Software as a Service (Saas) for supply chain applications. In most cases, cloud-based computing services are based on a virtualization platform. This scenario has impacts in the area of operational requirements and architectures. One of the operational requirements for enterprises deploying hybrid clouds for their data center is to move their application packages seamlessly from their internal (own) data centers to a cloud provider and vice versa and manage them through a common view. This requires the use of management tools that provide mobility for virtual machines across heterogeneous hypervisors. It is in this context that emerging standards such as Open Virtualization Format (OVF) are important as they provide the means to package the application components in hyervisor-independent format for easy mobility between internal and external clouds. In the area Saas for supply chain applications, cloud-based federated identity architecture holds a great potential. To realize the benefits of this architecture, API standards are needed for Account Management (Directory synchronization, Account Provisioning), negotiation of profiles/protocols (federation) and registration of IdPs and SPs. Cloud computing is the phrase du jour, and many organizations are jumping on the bandwagon. Cloud computing is still in its early stages, but the commercial and government sectors are beginning to see the advantages of adopting this new trend in computing. The benefits, such as reduced IT costs, reduced management overhead, and the ability to focus on mission critical applications, are too great to overlook at this point. The speaker will talk about how the real power of cloud computing is in the potential to re-think and re-design IT architectures at a fundamental level. Companies that gain early experience will be best positioned to harness these new architectural approaches to re-shape the broader business landscape. How can you tell if your cloud provider is secure? One of the biggest problems for cloud providers is how to assure customers they are secure without having to let every company audit their infrastructure. ENISA (the European Network and Information Security Agency) is preparing a report on the key cloud security risks and ways of addressing them with the help of a group technical and legal experts including many major cloud providers. This talk will look at the principle security risks and benefits and how to address them. The goal of this presentation is to discuss federated key management and why it should be an essential part of cloud computing. To do this, the speaker will first describe key management and why it's important. Next, he will discuss how federated key management can provide the infrastructure needed to protect sensitive data when it's used in cloud computing. Finally, the speaker will talk about how cloud computing may require a key management service and describe the properties that such a service needs to have. |
3:00 | Break in the Green Auditorium Foyer |
3:15
|
STAYING AHEAD OF THE CURVE WITH FEDERATED KEY MANAGEMENT SOLUTIONS Session Chair: Anil Saldhana, Lead Security Architect, Middleware, Red Hat Challenges, Successes & Lessons Learned Roundtable Protecting data while at rest, in motion or in use has been quite challenging for the security industry. Encryption of the data has been hampered with the challenge of managing keys in a large heterogeneous environment. The industry has struggled to bring a cohesive solution to this complex problem of managing keys. Federated Key Management remains a major obstacle to enterprises and organizations. This panel will highlight the challenges faced by Federated Key Management, efforts in the standards world towards interoperable solutions and lessons learned in implementations of Public Key Infrastructure (PKI). Panel Speakers:
|
4:30 | CLOSING REMARKS |
4:45 |
Conference Ends, shuttle service available |