Presentation on theme: "Arkadiy Kremer Chairman ITU-T Study Group 17 Session 5: SDOs security standardization, implementation and evaluation strategy ITU-T Workshop on "New challenges."— Presentation transcript:
Arkadiy Kremer Chairman ITU-T Study Group 17 Session 5: SDOs security standardization, implementation and evaluation strategy ITU-T Workshop on "New challenges for Telecommunication Security Standardizations" (Geneva, February 2009)
ITU-T Security Workshop (Geneva, 9-10 February 2009) We have received a strong message from our members that ITU is, and will remain the worlds pre-eminent global telecommunication and ICT standards body. And we hear also, and very clearly, that ITU should continue on its mission to connect the world, and that bringing the standardization gap, by increasing developing country participation in our work, is an essential prerequisite to achieve this goal. Malcolm Johnson, TSB Director (Closing speech at the WTSA-08) 2 of 21
ITU-T Security Workshop (Geneva, 9-10 February 2009) How does the ITU-T work 3 of 21 In ITU-T, industry and governments work together to develop consensus-based Recommendations Work typically driven by private Sector Members Open (for members), transparent, bottom-up process Sensitive to national sovereignty: will only cover matters not considered to be national Will not impose contractual terms or operating rules on private companies Recommendations are not binding, but tend to be followed because they represent true consensus
ITU-T Security Workshop (Geneva, 9-10 February 2009) ITU-T security activities 4 of 21 Most of the ITU-T study groups have responsibilities for standardizing security aspects specific to their technologies (TMN security, IPCablecom security, NGN security, Multimedia security, etc.) ITU-T SG 17 is the Lead Study Group for: Telecommunications security Identity management Languages and description techniques
ITU-T Security Workshop (Geneva, 9-10 February 2009) ITU-T SG 17 history 5 of 21 Study Period 17/9/ Name Data networks and telecommunication software Security, languages and telecommunication software Security
ITU-T Security Workshop (Geneva, 9-10 February 2009) SG 17 Questions 6 of 21 Questions have been re-organized but all SG 17 security work from Study Period will continue
ITU-T Security Workshop (Geneva, 9-10 February 2009) Proposed SG 17 structure 7 of 21 Working Party 1: Network and information security Q 1 Telecommunications systems security project Q 2 Security architecture and framework Q 3 Telecommunications information security management Q 4 Cybersecurity Q 5 Countering spam by technical means
ITU-T Security Workshop (Geneva, 9-10 February 2009) Proposed SG 17 structure (cont.) 8 of 21 Working Party 2: Application security Q 6 Security aspects of ubiquitous telecommunication services Q 7 Secure application services Q 8 Telebiometrics Q 9 Service oriented architecture security
ITU-T Security Workshop (Geneva, 9-10 February 2009) Proposed SG 17 structure (cont.) 9 of 21 Working party 3: Identity management and languages Q 10 Identity management architecture and mechanisms Q 11 Directory services, Directory systems, and public-key/attribute certificates Q 12 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs) and associated registration Q 13 Formal languages and telecommunication software Q 14 Testing languages, methodologies and framework Q 15 Open Systems Interconnection (OSI)
ITU-T Security Workshop (Geneva, 9-10 February 2009) Organization of ITU-T X-series Recommendations ` 10 of 21 (DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY) Public data networksX.1-X.199 Open Systems InterconnectionX.200-X.299 Interworking between networksX.300-X.399 Message Handling SystemsX.400-X.499 DirectoryX.500-X.599 OSI networking and system aspectsX.600-X.699 OSI managementX.700-X.799 SecurityX.800-X.849 OSI applicationsX.850-X.899 Open distributed processingX.900-X.999 Telecommunication SecurityX Information and network securityX.1000-X.1099 Secure applications and servicesX.1100-X.1199 Cyberspace securityX.1200-X.1299 Secure applications and services X.1300-X.1399
ITU-T Security Workshop (Geneva, 9-10 February 2009) Core Security Recommendations 11 of 21 Strong ramp-up on developing core security Recommendations in SG approved in approved in under development for approval this study period Subjects include: Architecture and Frameworks Web services Directory Identity management Risk management Cybersecurity Incident management Mobile security Countering spam Security management Secure applications Telebiometrics Ubiquitous Telecommunication services SOA security Ramping up on: Multicast Traceback Ubiquitous sensor networks Collaboration with others on many items
ITU-T Security Workshop (Geneva, 9-10 February 2009) Coordination 12 of 21 ISO/IEC/ITU-T Strategic Advisory Group Security Oversees standardization activities in ISO, IEC and ITU-T relevant to security; provides advice and guidance relative to coordination of security work; and, in particular, identifies areas where new standardization initiatives may be warranted (portal established, workshops conducted) Global Standards Collaboration ITU and participating standards organizations exchange information on the progress of standards development in the different regions and collaborate in planning future standards development to gain synergy and to reduce duplication. GSC-13 resolutions concerning security include Cybersecurity (13/11), Identity Management (13/04), Network aspects of identification systems (13/03), Personally Identifiable Information protection (13/25).
ITU-T Security Workshop (Geneva, 9-10 February 2009) SG 17 Security Project 13 of 21 Security Coordination Within SG 17, with ITU-T SGs, with ITU-D and externally Kept others informed - TSAG, IGF, ISO/IEC/ITU-T SAG-S… Made presentations to workshops/seminars and to GSC Maintained reference information on LSG security webpage Security Compendium Includes catalogs of approved security-related Recommendations and security definitions extracted from approved Recommendations Security Standards Roadmap Includes searchable database of approved ICT security standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE, ATIS) ITU-T Security Manual – assisted in its development
ITU-T Security Workshop (Geneva, 9-10 February 2009) Challenges 14 of 21 Addressing security to enhance trust and confidence of users in networks, applications and services Balance between centralized and distributed efforts on developing security standards Legal and regulatory aspects of cybersecurity, spam, identity/privacy Address full cycle – vulnerabilities, threats and risk analysis; prevention; detection; response and mitigation; forensics; learning Uniform definitions of security terms and definitions Effective cooperation and collaboration across the many bodies doing cybersecurity work – within the ITU and with external organizations Keeping ICT security database up-to-date
ITU-T Security Workshop (Geneva, 9-10 February 2009) Summary 15 of There are number of different languages in which are used for security items: technical, business, legal, evaluation, law enforcement institution, standardization. And we have only few bodies which can organize the harmonization of these different languages. The ITU-T might be the leader in creating such common vocabulary for better understanding and creation of cybersecurity. Such a vocabulary will have to align fully with the terminology used in the existing SDO vocabularies and embrace telecom-sector- specific security activities as well as terminology that has established itself in the professional community. It will also have to address evolving terminology associated with new risks, threats and challenges.
ITU-T Security Workshop (Geneva, 9-10 February 2009) Summary 16 of It is necessary to assure the continued relevance of security standards by keeping them current with rapidly-developing telecommunications technologies and operators trends (in e- commerce, e-payments, e-banking, telemedicine, fraud- monitoring, fraud-management, fraud identification, digital identity infrastructure creation, billing systems, IPTV, Video-on-demand, grid network computing, ubiquitous networks, etc.). 3. Considerable attention has been recently given to the issue of trust between network providers and communication infrastructure vendors, in particular, in terms of communication hardware and software security. Issues of how trust can be established and/or enhanced need to be considered.
ITU-T Security Workshop (Geneva, 9-10 February 2009) Summary 17 of The elaboration of recommendations for the security methodologies and procedures necessary for compliance in the network infrastructure could become the foundation for vendors understanding of network providers challenges as well as the basis for harmonization of national requirements to communication hardware and software certification. Such recommendations could address: - user identification and access management issues, protection of service data for network management and access, - use of universal open interfaces for cryptographic protection tools interconnect in compliance with national standards, - inter-working in TCP/IP infrastructure, with the tools for harmful software and denial of service attacks counteraction.
ITU-T Security Workshop (Geneva, 9-10 February 2009) Summary 18 of There are a number of standards in the field of telecommunications and information security. But a standard is the real standard when it is used in real-world applications. Business and governmental bodies need to learn more about standards from their business applications rather than from a technical point of view. The ITU-T might provide leadership in preparing reports on information security standardization processes from the point of view of business applications e.g to support procurement strategies. The development of a procurement hand-book which analyzes main types of business models and main standards which support these models could be a great help to the telecom industry.
ITU-T Security Workshop (Geneva, 9-10 February 2009) Summary 19 of Implementations of ITU-T security Recommendations capable of being tested for conformance and interoperability. Implementations that cannot be tested, that involve extensive resources, or that require access to confidential information, are unacceptable. There needs to be some work to determine how the need for conformance and interoperability testing of implementations can be supported.
ITU-T Security Workshop (Geneva, 9-10 February 2009) Some useful web resources 20 of 21 ITU Global Cybersecurity Agenda (GCA) ITU-T Home page Study Group LSG on Security Security Roadmap Security Manual Cybersecurity Portal Cybersecurity Gateway ITU-T Recommendations ITU-T Lighthouse ITU-T Workshops
ITU-T Security Workshop (Geneva, 9-10 February 2009) Thank you! Arkadiy Kremer 21 of 21