Re: [cti] Gap Analysis

[Mark Davidson <mdavidson@soltra.com>]

FWIW, the data security version of tokenization [1] is very different from the computer programming concept of tokenization [2].

I think we can add it as an item to track and vote on. This will make things a little messier to track for John – maybe we have a section for things that were added after the initial request?

This is based only on a quick reading, but IMO a key concept in tokenization is the process that is necessary to support it. It seems that the tokenization concept requires a system/process for mapping tokenized values back to the sensitive data element.

I would vote non-MVP on tokenization. The keystone of my opinion is that I haven’t seen evidence that tokenization is needed for STIX 2.0 to be viable. I understand the goal, but I personally haven’t heard anyone say that they can't use STIX 2.0 unless it has tokenization. My understanding is nascent and I could change my vote if enough evidence is provided that STIX 2.0 is not viable without tokenization. 

Thank you.

-Mark

[1] https://en.wikipedia.org/wiki/Tokenization_(data_security)

[2] https://en.wikipedia.org/wiki/Tokenization_(lexical_analysis)

From: <cti@lists.oasis-open.org> on behalf of JG on CTI-TC <jg@ctin.us>
Date: Sunday, April 3, 2016 at 11:27 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Gap Analysis

Patrick/Bret & All:

Where would the issue of Tokenization fit into the MVP list?

 See attached.

Jane

On 4/3/2016 4:36 PM, Jordan, Bret wrote:

Thanks... And yes, the more eyes we can have on this the better..  As you find stuff that is missing, please speak up so we can add it to the list. 

Step 1: Identify gaps and decide on MVP items 

Step 2: Triage the MVP items and build a plan to finish 2.0 MVP

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Apr 3, 2016, at 16:30, Patrick Maroney <Pmaroney@Specere.org> wrote:

In reviewing the draft specifications, we still have not addressed a few of the key gaps in the prior standards.  One of particular interest is "fixing" Targets/Victims as TLOs.  Please add this item to the Gap Analysis discussions.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Sun, Apr 3, 2016 at 12:45 PM -0700, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

All,

Early this week I will be working with Rich P and John Wunder on a Gap Analysis between what we have right now in the pre-draft specs for 2.0 and what is in STIX 1.2.  This should help the MVP discussion and give greater clarity to the community about where things are at and where they are going.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

-- 
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us