Arkadiy KremerChairman ITU-T Study

Group 17

Session 5:SDO’s security standardization, implementation and

evaluation strategy

ITU-T Workshop on "New challenges for Telecommunication Security Standardizations"

(Geneva, 09-10 February 2009)

ITU-T Security Workshop (Geneva, 9-10 February 2009)

“We have received a strong message from our members that ITU is, and will remain the world’s pre-eminent global telecommunication and ICT standards body. And we hear also, and very clearly, that ITU should continue on its mission to connect the world, and that bringing the standardization gap, by increasing developing country participation in our work, is an essential prerequisite to achieve this goal”.

Malcolm Johnson, TSB Director

(Closing speech at the WTSA-08)

2 of 21

ITU-T Security Workshop (Geneva, 9-10 February 2009)

How does the ITU-T work

3 of 21

In ITU-T, industry and governments work together to developconsensus-based “Recommendations”

Work typically driven by private Sector Members

Open (for members), transparent, bottom-up process

Sensitive to national sovereignty: will only cover matters notconsidered to be national

Will not impose contractual terms or operating rules onprivate companies

Recommendations are not binding, but tend to be followedbecause they represent true consensus

ITU-T Security Workshop (Geneva, 9-10 February 2009)

ITU-T security activities

4 of 21

Most of the ITU-T study groups have responsibilities for

standardizing security aspects specific to their technologies (TMN

security, IPCablecom security, NGN security, Multimedia security,

etc.)

ITU-T SG 17 is the Lead Study Group for:

• Telecommunications security

• Identity management

• Languages and description techniques

ITU-T Security Workshop (Geneva, 9-10 February 2009)

ITU-T SG 17 history

5 of 21

Study Period

17/9/2001-2004

2005-2008

2009-2012

Name

Data networks and telecommunicationsoftware

Security, languages and telecommunication software

Security

ITU-T Security Workshop (Geneva, 9-10 February 2009)

SG 17 Questions

6 of 21

Questions have been re-organized but all SG 17 security work from 2005-2008 Study Period will continue

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Proposed SG 17 structure

7 of 21

Working Party 1: Network and information security

• Q 1 Telecommunications systems security project

• Q 2 Security architecture and framework

• Q 3 Telecommunications information security management

• Q 4 Cybersecurity

• Q 5 Countering spam by technical means

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Proposed SG 17 structure (cont.)

8 of 21

Working Party 2: Application security

• Q 6 Security aspects of ubiquitous telecommunication services

• Q 7 Secure application services

• Q 8 Telebiometrics

• Q 9 Service oriented architecture security

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Proposed SG 17 structure (cont.)

9 of 21

Working party 3: Identity management and languages

• Q 10 Identity management architecture and mechanisms

• Q 11 Directory services, Directory systems, and public-key/attribute certificates

• Q 12 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs) and associated registration

• Q 13 Formal languages and telecommunication software

• Q 14 Testing languages, methodologies and framework

• Q 15 Open Systems Interconnection (OSI)

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Organization of ITU-T X-series Recommendations

`

10 of 21

(DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY)Public data networks X.1-X.199 Open Systems Interconnection X.200-X.299 Interworking between networks X.300-X.399 Message Handling Systems X.400-X.499 Directory X.500-X.599 OSI networking and system aspects X.600-X.699 OSI management X.700-X.799 Security X.800-X.849 OSI applications X.850-X.899 Open distributed processing X.900-X.999 Telecommunication Security X.1000-1999Information and network security X.1000-X.1099Secure applications and services X.1100-X.1199Cyberspace security X.1200-X.1299Secure applications and services X.1300-X.1399

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Core Security Recommendations

11 of 21

Strong ramp-up on developing core security Recommendations in SG 17• 14 approved in 2007• 27 approved in 2008• 44 under development for approval this study period

Subjects include: Architecture and Frameworks Web services Directory Identity management Risk management Cybersecurity Incident management Mobile security Countering spam Security management Secure applications Telebiometrics Ubiquitous Telecommunication services SOA security

Ramping up on: Multicast Traceback Ubiquitous sensor networks

Collaboration with others on many items

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Coordination

12 of 21

ISO/IEC/ITU-T Strategic Advisory Group SecurityOversees standardization activities in ISO, IEC and ITU-T relevant to security; provides advice and guidance relative to coordination of security work; and, in particular, identifies areas where new standardization initiatives may be warranted (portal established, workshops conducted)

Global Standards CollaborationITU and participating standards organizations exchange information on the progress of standards development in the different regions and collaborate in planning future standards development to gain synergy and to reduce duplication. GSC-13 resolutions concerning security include Cybersecurity (13/11), Identity Management (13/04), Network aspects of identification systems (13/03), Personally Identifiable Information protection (13/25).

ITU-T Security Workshop (Geneva, 9-10 February 2009)

SG 17 Security Project

13 of 21

Security Coordination• Within SG 17, with ITU-T SGs, with ITU-D and externally• Kept others informed - TSAG, IGF, ISO/IEC/ITU-T SAG-S…• Made presentations to workshops/seminars and to GSC• Maintained reference information on LSG security webpage

Security Compendium• Includes catalogs of approved security-related

Recommendations and security definitions extracted from approved Recommendations

Security Standards Roadmap• Includes searchable database of approved ICT security

standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE, ATIS)

ITU-T Security Manual – assisted in its development

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Challenges

14 of 21

Addressing security to enhance trust and confidence of users in networks, applications and services

Balance between centralized and distributed efforts on developing security standards

Legal and regulatory aspects of cybersecurity, spam, identity/privacy

Address full cycle – vulnerabilities, threats and risk analysis; prevention; detection; response and mitigation; forensics; learning

Uniform definitions of security terms and definitions Effective cooperation and collaboration across the many bodies

doing cybersecurity work – within the ITU and with external organizations

Keeping ICT security database up-to-date

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Summary

15 of 21

1. There are number of different languages in which are used for security items: technical, business, legal, evaluation, law enforcement institution, standardization. And we have only few bodies which can organize the harmonization of these different languages. The ITU-T might be the leader in creating such common vocabulary for better understanding and creation of cybersecurity. Such a vocabulary will have to align fully with the terminology used in the existing SDO vocabularies and embrace telecom-sector-specific security activities as well as terminology that has established itself in the professional community. It will also have to address evolving terminology associated with new risks, threats and challenges.

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Summary

16 of 21

2. It is necessary to assure the continued relevance of security standards by keeping them current with rapidly-developing telecommunications technologies and operators’ trends (in e-commerce, e-payments, e-banking, telemedicine, fraud-monitoring, fraud-management, fraud identification, digital identity infrastructure creation, billing systems, IPTV, Video-on-demand, grid network computing, ubiquitous networks, etc.). 3. Considerable attention has been recently given to the issue of trust between network providers and communication infrastructure vendors, in particular, in terms of communication hardware and software security. Issues of how trust can be established and/or enhanced need to be considered.

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Summary

17 of 21

4. The elaboration of recommendations for the security methodologies and procedures necessary for compliance in the network infrastructure could become the foundation for vendors’ understanding of network providers’ challenges as well as the basis for harmonization of national requirements to communication hardware and software certification. Such recommendations could address: - user identification and access management issues, protection of service data for network management and access, - use of universal open interfaces for cryptographic protection tools interconnect in compliance with national standards, - inter-working in TCP/IP infrastructure, with the tools for harmful software and denial of service attacks counteraction.

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Summary

18 of 21

5. There are a number of standards in the field of telecommunications and information security. But a standard is the real standard when it is used in real-world applications. Business and governmental bodies need to learn more about standards from their business applications rather than from a technical point of view. The ITU-T might provide leadership in preparing reports on information security standardization processes from the point of view of business applications e.g to support procurement strategies.The development of a procurement hand-book which analyzes main types of business models and main standards which support these models could be a great help to the telecom industry.

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Summary

19 of 21

6. Implementations of ITU-T security Recommendations capable of being tested for conformance and interoperability. Implementations that cannot be tested, that involve extensive resources, or that require access to confidential information, are unacceptable. There needs to be some work to determine how the need for conformance and interoperability testing of implementations can be supported.

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Some useful web resources

20 of 21

• ITU Global Cybersecurity Agenda (GCA) http://www.itu.int/osg/csd/cybersecurity/gca/

• ITU-T Home page http://www.itu.int/ITU-T/• Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp

e-mail: tsbsg17@itu.int• LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html• Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html• Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en• Cybersecurity Portal http://www.itu.int/cybersecurity/• Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html• ITU-T Recommendations http://www.itu.int/ITU-T/publications/recs.html• ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml• ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html

ITU-T Security Workshop (Geneva, 9-10 February 2009)

Thank you!

Arkadiy Kremer kremer@rans.ru

21 of 21