This issue of XML Daily Newslink is sponsored by:
Microsoft Corporation http://www.microsoft.com
- Cloud Security Alliance Announces New Programs at RSA Conference 2010
- Keynote Address from RSA President: Safety in the Cloud
- RSA Keynote: Cloud's Future Depends on Security
- W3C Publishes New Versions of Java Applets for XQuery and XPath
- Session Peering Provisioning Protocol (SPPP) Over SOAP and HTTP
- A Tour of the Open Standards Used by Google Buzz
- Microsoft Making IE 8 Fully Compatible with More Websites
Cloud Security Alliance Announces New Programs at RSA Conference 2010
Staff, CSA Announcement
On March 1, 2010 at the RSA 2010 Conference, the Cloud Security Alliance (CSA) made several announcements at its CSA Summit to provide both cloud customers and cloud providers with research, tools and calls to action to further build trust and mitigate risks within cloud computing. The Cloud Security Alliance, led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders, is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing...
CSA is releasing the results of a research project to identify cloud threats, code named 'Seven Deadly Sins'. The new research findings detail the potential threats surrounding the use of cloud services. The research, commissioned by HP, was designed to help companies understand current and future threats, and to provide remediation strategies to ensure that business processes as well as data remain secured in the cloud. The report is the result of a broad examination of information security experts across 29 enterprises, solution providers, and consulting firms exposed to some of the world's most demanding and complex cloud environments.
CSA and IEEE jointly issued a new 'CSA and IEEE-SA Cloud Standards Survey and Research' which reveals industry demand for standards within cloud computing to promote security. Hundreds of IT professionals, many of whom are actively involved in implementing cloud-related projects, participated in the joint IEEE/CSA survey. Among the survey's findings: (1) Ninety- three percent of respondents said the need for cloud computing security standards is important; 82 percent said the need is urgent. (2) Forty-four percent of respondents said they are already involved in development of cloud computing standards, and 81 percent said they are somewhat or very likely to participate in development of cloud security standards in the next twelve months. (3) Data privacy, security and encryption comprise the most urgent area of need for standards development. (4) The ISO 27001/27002 Information Security Management Standard is a key regulatory driver of standards compliance, as are Data Breach Notification, PCI/DSS (Payment Card Industry Standard), EU Data Privacy Legislation, SOX (Sarbanes-Oxley Act) and HIPAA (Health Insurance Portability and Accountability Act). (5) The use of public, private and hybrid clouds will rise over the next 12 months. The survey found that, while public clouds are most popular, private and hybrid implementations are quickly gaining in adoption. (6) The rate of using and providing software, platform and infrastructure as a service (SaaS, PaaS and IaaS) will increase consistently in the next 12 months. The survey showed that PaaS and IaaS are set for the sharpest growth.
CSA also announced the production of a new Cloud Controls Matrix, which catalogs cloud security controls aligned with key information security regulations, standards and frameworks. The Cloud Security Alliance Controls Matrix (CM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud..."
See also: the CSA Trusted Cloud Initiative
Keynote Address from RSA President: Safety in the Cloud
Art Coviello, Network World
This article provides a transcript of the RSA 2010 presentation by RSA president Art Coviello. Excerpts: "believe, we in the security industry need a more elevated and expansive vision connected to the huge wave of IT transformation under way right now that is cloud computing. Think for a moment about why cloud computing is so powerful. It enables businesses to leave their aging, inflexible and costly IT infrastructures behind and move to a new "pay as you go" world characterized by choice and agility...
Cloud computing can dramatically alter this two-thirds / one-third ratio -- so that much more energy and investment can be directed toward real innovation and competitive advantage. Trouble is something's holding back the full realization of this cloud vision. And that in a word is security. Cloud computing will complete the transformation of IT infrastructures unleashed by the Internet. Organizations will demand it because they absolutely must get faster and better returns on their IT investments. So we must play an essential role in making cloud computing a reality...
We see four, well-defined stages on this journey. The journey begins with virtualization of non-mission critical infrastructure like test and development systems and low-risk applications. There are relatively few new security requirements at [the virtualization] level given the non-critical nature of the applications but it is in this stage that you will become adept with the tools of virtualization and begin the process of 'hardening' the virtual infrastructure. In the second stage of the journey organizations virtualize critical business applications. Here your infrastructure becomes far more scalable and elastic with the security requirements scaling in proportion. We'll want to push security down the stack, deep in the virtual layer; embedding controls that today are bolted on to the physical infrastructure... A third stage consists of a fully virtualized and automated data center where application workloads are policy- and service-level driven. Now, the enterprise must have far more mature processes for governance, risk and compliance that can span their physical and virtual infrastructures...
In the fourth stage, enterprises start to outsource their infrastructures to external service providers. But you won't want any part of that unless service providers can demonstrate their ability to effectively enforce policy, prove compliance and manage multi-tenancy. At this stage, federation becomes an important capability. Organizations will need the ability to dictate and federate identity and policy to their service providers on how information is accessed and handled. Next they'll need to demand that cloud providers deliver strong proof of compliance, even in the deepest levels of the cloud..."
See also: the RSA 2010 program agenda
RSA Keynote: Cloud's Future Depends on Security
William Jackson, Government Computer News
"RSA has announced an initiative with VMware, Intel, and Archer Technologies to enable the visibility into cloud security that will be required to ensure that policy and regulations can be enforced in the virtual environment. Microsoft has announced that it is making cryptographic algorithms for its U-Prove minimal disclosure ID management scheme available for use under an open source license.
RSA's Art Coviello said the security industry has the opportunity to ensure that security is built into cloud computing from the beginning so that it can be used to its full potential: 'Cloud computing has the ability to complete the transformation of information technology that was started by the Internet, but its success depends on security.'
Scott Charney, Microsoft's vice president of trustworthy computing, said cloud computing has new implications for the company's 9-year-old Trustworthy Computing Initiative. It moves the goal of end-to-end trust out of the PC or the enterprise and into a new environment where no one entity has access or authority. Identity authentication and privacy will be the key elements in enabling cloud computing.. The movement of data into a virtual environment not controlled by individuals requires a rethinking of how we approach identity management... Enabling security along with privacy requires the ability for a user to prove the minimum necessary information about himself during a transaction, without exposing unnecessary information. That is the purpose of the U-Prove scheme. It is 'claims-based' identity system based on proving certain claims about the user without including the entire identity if not necessary..."
See also: Charney's blog
W3C Publishes New Versions of Java Applets for XQuery and XPath
Liam Quin, XML-DEV Posting
Liam Quin, W3C XML Activity Lead, announced an update to the W3C XPath/XQuery Applets: "We've posted new versions of the XPath/XQuery Java Applets; you could use them as the basis for implementations, or to test against your own grammar; they show a parse tree for input, and were made using the grammars in the respective specifications. These applets correspond to the latest working drafts for the XQuery 1.1 and XPath 2.1 documents, as well as (separately) for 1.0, where combinations covered as as follows: XPath 2.0; XPath 2.1; XQuery/XPath Core; XQuery 1.0; XQuery 1.0 + Full Text Extensions; XQuery 1.0 + Update Facility; XQuery 1.0 + Full Text Extensions + Update Facility; XQuery 1.1; XQuery 1.1 + Full Text Extensions; XQuery 1.1 + Update Facility; XQuery 1.1 + Full Text Extensions + Update Facility..."
Overview: "Use these Java applets to check your syntax online, or as the basis for your own XPath 2 or XQuery implementation. They support XML Query, XPath 2, and also the Full Text and Update drafts...
The applets are a tool for readers and parser implementers of XPath 2.0 and 2.1, and XQuery 1.0 and 1.1. The results should not be used as an absolute reference, and may flag legal syntax or errors not intended by the drafts. However, the applets were generated by processing the XML representation of the grammar, which is also used to produce the EBNF productions in the XPath and XQuery drafts. This parser is also used by the working groups to validate the integrity of the grammar. Implementers may wish to download the XPath 2/XQuery Parser Build, 'xgrammar_src.zip' and 'xgrammar_libs.zip', if they are interested in the parser production, and more details of this process.
See also: the announcement
Session Peering Provisioning Protocol (SPPP) Over SOAP and HTTP
Kenneth Cartwright (ed), IETF Internet Draft
An initial level -00 Internet Draft has been published for "Session Peering Provisioning Protocol (SPPP) Over SOAP and HTTP. The draft was produced by members of the IETF Data for Reachability of Inter/tra-NetworK SIP (DRINKS) Working Group.
The specification in this document for transporting SPPP XML structures over SOAP and HTTP(s) is primarily comprised of five subjects: (1) a description of any applicable SOAP features, (2) any applicable HTTP features, (3) authentication and session management, (4) security considerations, and perhaps most importantly, (5) the Web Services Description Language (WSDL) definition.
Abstract: "The Session Peering Provisioning Protocol (SPPP) is an XML protocol that exists to enable the provisioning of session establishment data into Session Data Registries or SIP Service Provider data stores. Sending XML data structures over Simple Object Access Protocol (SOAP) and HTTP(s) is a widely used, de-facto standard for messaging between elements of provisioning systems. Therefore the combination of SOAP and HTTP(s) as a transport for SPPP is a natural fit. The obvious benefits include leveraging existing industry expertise, leveraging existing standards, and a higher probability that existing provisioning systems can be more easily integrated with this protocol. This document describes the specification for transporting SPPP XML structures over SOAP and HTTP(s).
The SPPP WSDL is commonly referred to as 'Generic WSDL'. It is generic in the sense that there is not a specific WSDL operation defined for each business action that is supported by the SPPP protocol. There is a single WSDL operation called submitRequest. It takes as input an spppRequestMsg object and returns as output an spppResponseMsg object. These objects 'wrap' the spppRequest and spppResponse objects respectively. These two object data structures are described in the SPPP protocol specification. And finally, the spppSOAPBinding in the WSDL defines the binding style as 'document' and the encoding as 'literal'. It is this combination of 'wrapped' input and output data structures, 'document' binding style, and 'literal' encoding that characterized the Document Literal Wrapped style of WSDL specificaitons. The advantage of generic WSDL is that the WSDL is more succinct, much simpler, and therfore more easily maintained. As operations are added into or removed from the SPPP protocol, the WSDL does not need to change. This approach is made possible by the fact that the SPP XML data types and supported actions are defined in the SPPP XML schema, not in the WSDL. As a result the supported actions do not need to be re-defined here inside the SPPP SOAP WSDL..."
A Tour of the Open Standards Used by Google Buzz
James Clark, Random Thoughts Blog
"The thing I find most attractive about Google Buzz is its stated commitment to open standards... So I took a bit of time to look over the standards involved. I'll focus here on the standards that are new to me...
One key design decision in Google Buzz is that individuals in the social web should be identifiable by email addresses—or at least strings that look like email addresses. On balance I agree with this decision: although it is perhaps better from a purist Web architecture perspective to use URIs for this, I think email addresses work much better from a UI perspective.
Google Buzz therefore has some standards to address the resulting discovery problem: how to associate metadata with something that looks like an email address. There are two key standards here: (1) XRD: This is a simple XML format developed by the OASIS XRI TC for representing metadata about a resource in a generic way. This looks very reasonable and I am happy to see that it is free of any XRI cruft. It seems quite similar to RDDL. (2) WebFinger: This provides a mechanism for getting from an email address to an XRD file. It's a two-step process based on HTTP. First of all you HTTP get an XRD file from a well-known URI constructed using the domain part of the email address (the well-known URI follows the Defining Well-Known URIs and host-meta Internet Drafts). This per-domain XRD file provides (amongst other things) a URI template that tells you how to construct a URI for an email address in that domain; dereferencing this URI will give you an XRD representation of metadata related to that email address. There seem to be some noises about a JSON serialization, which makes sense: JSON seems like a good fit for this problem...
One of the many interesting things you can do with such a discovery mechanism is to associate a public key with an individual. There's a spec called 'Magic Signatures' that defines this. Magic Signatures correctly eschews all the usual X.509 cruft, which is completely unnecessary here; all you need is a simple RSA public key... There are also standards that extend Atom. The simplest are just content extensions: (1) Atom Activity Extensions provides semantic markup for social networking activities such as "liking" something or posting something. (2) Media RSS Module provides extensions for dealing with multimedia content... There are also protocol extensions: PubSubHubbub provides a scalable way of getting near-realtime updates from an Atom feed, and Salmon makes feed aggregation two-way..."
See also: Google Buzz and the Social Web
Microsoft Making IE 8 Fully Compatible with More Websites
Nicholas Kolakowski, eWEEK
Microsoft has issued an official blog posting on March 2, 2010 detailing its engineers' thinking process behind the build of Internet Explorer 8, the latest version of its Web browser, and how it chooses to render certain Websites. According to the blog posting, some 19 percent of high-traffic Websites currently render in IE 8 standards. Microsoft is working to reduce the list of Websites that IE 8 needs a feature called Compatibility View in order to render all elements properly... The number of Websites that require IE 8's compatibility has apparently declined from 3,100 to more than 2,000 in the last 12 months, according to Microsoft.
The blog article "How IE8 Determines Document Mode" was authored by Marc Silbey. Internet Explorer Program Manager. Excerpts: "This post describes how IE8 determines what Document Mode such as Quirks or Standards Modes to use for rendering websites. This topic is important for site developers and consumers. It's related to the Compatibility View List that we recently updated. This list is down by over 1000 websites, from over 3100 to just over 2000, since IE8 released last March. As we work with site developers and standards bodies, we're excited to see the sites that need to be on the Compatibility View (CV) List continue to go down...
When looking at the doctype and X-UA-Compatible meta tag and header on thousands of high traffic websites worldwide such as qq.com, netlog.com and those on the initial CV List, (1) 26% specify Quirks such as amazon.com, tworld.co.kr, and unibanco.com.br; (2) 41% specify a Transitional doctype that puts them in Almost Standards Mode; (3) 14% have already added an X-UA-Compatible meta tag or HTTP response header to render in IE7 Standards Mode...
Compatibility and interoperability are complex. To reduce complexity for developers and users alike, we would love to see websites transition from legacy browser modes. We respect that the choice of mode is up to the site developer. We're excited to work with sites and standards bodies to continue improving IE's implementation of interoperable standards..."
See also: Marc Silbey's blog article
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/