First Call for Participation
in the
Second Workshop on
Distributed Object Computing Security
May 1998
The Sheraton Inner Harbor
Baltimore, Maryland, USA
Sponsored by the
Object Management Group
and the
United States National Security Agency
http://www.omg.org/DOCSec/1998/
---------------------------------------------------------------------------
Introduction
In today's highly competitive and constantly shifting IT environment of
inter-, intra-, and extra-nets, organizations are no longer concerned with
the question of whether to use Distributed Object Computing (DOC) in their
enterprise IT architecture - they quite simply have to if they are to
remain competitive. In many cases, enterprise IT architects don't even have
the option of which DOC model - CORBA, DCOM/ActiveX, or Java RMI - to use
because they already have operational or near-operational subsystems that
are using all three. The only real question is how to achieve
inter-operation among the three models to avoid a new generation of
stovepipe systems.
Adding the concerns associated with information technology security
complicate the challenges of DOC interoperability even more. The available
security technologies for any one DOC model are immature, unproven, poorly
understood, and difficult to manage - but absolutely critical to the
success of the enterprise subsystems that use that model. Compounding this
problem with each individual DOC technology is the fact that some aspects
of the security technologies of each model are incompatible with those of
the others.
Building on a very successful first workshop devoted to these problems in
the CORBA DOC model, the OMG and the NSA are now expanding the scope for
this second workshop to include security issues in and among all three DOC
models. As always, a full understanding of the strengths and weaknesses of
the security aspects of each and all of the DOC models and standards
requires experience with Object Oriented Technology, Information Technology
Security and operational system planning, development and deployment. This
workshop is intended to bring together individuals with various
combinations of these experiences to examine, explain and critique the DOC
Security technologies available today.
The workshop approach will again be to have individuals with the full range
of OOT, IT Security, and Operational System experience examine and discuss,
in turn, the content and meaning of any or all of the DOC Security
standards, the design issues relevant to realizing published DOC Security
standards in products, and the design issues relevant to using DOC Security
products meeting published security standards as the foundation for
operational systems.
Instructions
The workshop is open to all with an interest in and understanding of some
combination of secure IT systems integration, operational IT security and
CORBA, DCOM, or Java security standards and products. Participation will be
limited to approximately 50 individuals who are able to clearly and
concisely express their perspective in one or more of the following major
categories (with notional examples of the elements of each category):
DOC Security Standards
* Concise representation of the CORBA, DCOM, or Java Security standards'
security model
* Concise representation of the CORBA, DCOM, or Java Security standards'
object model
* Relationship of the CORBA, DCOM, or Java Security standards to
traditional perspectives on IT Security
* Relationship of the CORBA, DCOM, or Java Security standards to
traditional perspectives on OOT design
Secure DOC Product Design Issues
* Issues associated with realizing the security specification(s) for
each DOC model
* The affect of the security specification(s) on the rest of each DOC
model
* Security assurance issues in DOC Security Products
* Security Architecture issues in DOC Security Products
* DOC Security Product dependencies on OS security
* DOC Security Product dependencies on network security
DOC Security Integration Issues
* Capabilities provided by existing and emerging DOC Security products
* Capabilities not provided by existing and emerging DOC Security
products
* Specializing existing and emerging DOC Security products for specific
application domains or operational requirements
* Providing application layer security policy support that can be
established, implemented and administered for specific application
domains or operational requirements
DOC Security Operational Issues
* Security administration in homogeneous or heterogeneous configurations
of existing and emerging DOC Security products
* Validating the security posture of homogeneous or heterogeneous
configurations of existing and emerging DOC Security products
* Balancing dynamic operational performance requirements with both
static and dynamic security requirements
* Establishing extra-domain security relationships in response to
evolving operational requirements
Interested individuals or organizations are invited to submit a brief
position statement of one printed page (or 60 80-character email lines of
text) describing experiences, research or analysis that pertains to the
workshop topics. This position statement should be submitted via email by
9 January 1998 to secws-submissions@omg.org
Workshop invitations and details of the workshop agenda will be extended to
selected authors by 1 March 1998.
WORKSHOP COMMITTEE
Co-Chairs:
Dr. Richard Mark Soley Mr. David Chizmadia
Chairman and CEO Office of INFOSEC Computer Research
Object Management Group National Security Agency
soley@omg.org dmc@tycho.ncsc.mil