1 / 21

Arkadiy Kremer Chairman ITU-T Study Group 17

ITU-T Workshop on "New challenges for Telecommunication Security Standardizations" (Geneva, 09-10 February 2009). Session 5 : SDO’s security standardization, implementation and evaluation strategy. Arkadiy Kremer Chairman ITU-T Study Group 17.

debragillis
Download Presentation

Arkadiy Kremer Chairman ITU-T Study Group 17

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU-T Workshop on "New challenges for Telecommunication Security Standardizations"(Geneva, 09-10 February 2009) Session 5: SDO’s security standardization, implementation and evaluation strategy Arkadiy Kremer Chairman ITU-T Study Group 17

  2. ITU-T Security Workshop (Geneva, 9-10 February 2009) • “We have received a strong message from our members that ITU is, and will remain the world’s pre-eminent global telecommunication and ICT standards body. And we hear also, and very clearly, that ITU should continue on its mission to connect the world, and that bringing the standardization gap, by increasing developing country participation in our work, is an essential prerequisite to achieve this goal”. • Malcolm Johnson, TSB Director • (Closing speech at the WTSA-08)

  3. ITU-T Security Workshop (Geneva, 9-10 February 2009) • In ITU-T, industry and governments work together to develop • consensus-based “Recommendations” • Work typically driven by private Sector Members • Open (for members), transparent, bottom-up process • Sensitive to national sovereignty: will only cover matters not • considered to be national • Will not impose contractual terms or operating rules on • private companies • Recommendations are not binding, but tend to be followed • because they represent true consensus How does the ITU-T work

  4. ITU-T Security Workshop (Geneva, 9-10 February 2009) • Most of the ITU-T study groups have responsibilities for standardizing security aspects specific to their technologies (TMN security, IPCablecom security, NGN security, Multimedia security, etc.) • ITU-T SG 17 is the Lead Study Group for: • Telecommunications security • Identity management • Languages and description techniques ITU-T security activities

  5. ITU-T Security Workshop (Geneva, 9-10 February 2009) ITU-T SG 17 history

  6. ITU-T Security Workshop (Geneva, 9-10 February 2009) SG 17 Questions Questions have been re-organized but all SG 17 security work from 2005-2008 Study Period will continue

  7. ITU-T Security Workshop (Geneva, 9-10 February 2009) • Working Party 1: Network and information security • Q 1 Telecommunications systems security project • Q 2 Security architecture and framework • Q 3 Telecommunications information security management • Q 4 Cybersecurity • Q 5 Countering spam by technical means Proposed SG 17 structure

  8. ITU-T Security Workshop (Geneva, 9-10 February 2009) • Working Party 2: Application security • Q 6 Security aspects of ubiquitous telecommunication services • Q 7 Secure application services • Q 8 Telebiometrics • Q 9 Service oriented architecture security Proposed SG 17 structure (cont.)

  9. ITU-T Security Workshop (Geneva, 9-10 February 2009) • Working party 3: Identity management and languages • Q 10 Identity management architecture and mechanisms • Q 11 Directory services, Directory systems, and public-key/attribute certificates • Q 12 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs) and associated registration • Q 13 Formal languages and telecommunication software • Q 14 Testing languages, methodologies and framework • Q 15 Open Systems Interconnection (OSI) Proposed SG 17 structure (cont.)

  10. ITU-T Security Workshop (Geneva, 9-10 February 2009) (DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY) Public data networks X.1-X.199 Open Systems Interconnection X.200-X.299 Interworking between networks X.300-X.399 Message Handling Systems X.400-X.499 Directory X.500-X.599 OSI networking and system aspects X.600-X.699 OSI management X.700-X.799 Security X.800-X.849 OSI applications X.850-X.899 Open distributed processing X.900-X.999 Telecommunication Security X.1000-1999 Information and network security X.1000-X.1099 Secure applications and services X.1100-X.1199 Cyberspace security X.1200-X.1299 Secure applications and services X.1300-X.1399 ` Organization of ITU-T X-series Recommendations

  11. ITU-T Security Workshop (Geneva, 9-10 February 2009) • Strong ramp-up on developing core security Recommendations in SG 17 • 14 approved in 2007 • 27 approved in 2008 • 44 under development for approval this study period • Subjects include: • Architecture and Frameworks  Web services  Directory • Identity management  Risk management  Cybersecurity • Incident management  Mobile security  Countering spam • Security management  Secure applications  Telebiometrics • Ubiquitous Telecommunication services  SOA security • Ramping up on: • Multicast  Traceback  Ubiquitous sensor networks • Collaboration with others on many items Core Security Recommendations

  12. ITU-T Security Workshop (Geneva, 9-10 February 2009) • ISO/IEC/ITU-T Strategic Advisory Group Security • Oversees standardization activities in ISO, IEC and ITU-T relevant to security; provides advice and guidance relative to coordination of security work; and, in particular, identifies areas where new standardization initiatives may be warranted (portal established, workshops conducted) • Global Standards Collaboration • ITU and participating standards organizations exchange information on the progress of standards development in the different regions and collaborate in planning future standards development to gain synergy and to reduce duplication. GSC-13 resolutions concerning security include Cybersecurity (13/11), Identity Management (13/04), Network aspects of identification systems (13/03), Personally Identifiable Information protection (13/25). Coordination

  13. ITU-T Security Workshop (Geneva, 9-10 February 2009) • Security Coordination • Within SG 17, with ITU-T SGs, with ITU-D and externally • Kept others informed - TSAG, IGF, ISO/IEC/ITU-T SAG-S… • Made presentations to workshops/seminars and to GSC • Maintained reference information on LSG security webpage • Security Compendium • Includes catalogs of approved security-related Recommendations and security definitions extracted from approved Recommendations • Security Standards Roadmap • Includes searchable database of approved ICT security standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE, ATIS) • ITU-T Security Manual – assisted in its development SG 17 Security Project

  14. ITU-T Security Workshop (Geneva, 9-10 February 2009) • Addressing security to enhance trust and confidence of users in networks, applications and services • Balance between centralized and distributed efforts on developing security standards • Legal and regulatory aspects of cybersecurity, spam, identity/privacy • Address full cycle – vulnerabilities, threats and risk analysis; prevention; detection; response and mitigation; forensics; learning • Uniform definitions of security terms and definitions • Effective cooperation and collaboration across the many bodies doing cybersecurity work – within the ITU and with external organizations • Keeping ICT security database up-to-date Challenges

  15. ITU-T Security Workshop (Geneva, 9-10 February 2009) 1. There are number of different languages in which are used for security items: technical, business, legal, evaluation, law enforcement institution, standardization. And we have only few bodies which can organize the harmonization of these different languages. The ITU-T might be the leader in creating such common vocabulary for better understanding and creation of cybersecurity. Such a vocabulary will have to align fully with the terminology used in the existing SDO vocabularies and embrace telecom-sector-specific security activities as well as terminology that has established itself in the professional community. It will also have to address evolving terminology associated with new risks, threats and challenges. Summary

  16. ITU-T Security Workshop (Geneva, 9-10 February 2009) 2. It is necessary to assure the continued relevance of security standards by keeping them current with rapidly-developing telecommunications technologies and operators’ trends (in e-commerce, e-payments, e-banking, telemedicine, fraud-monitoring, fraud-management, fraud identification, digital identity infrastructure creation, billing systems, IPTV, Video-on-demand, grid network computing, ubiquitous networks, etc.). 3. Considerable attention has been recently given to the issue of trust between network providers and communication infrastructure vendors, in particular, in terms of communication hardware and software security. Issues of how trust can be established and/or enhanced need to be considered. Summary

  17. ITU-T Security Workshop (Geneva, 9-10 February 2009) 4. The elaboration of recommendations for the security methodologies and procedures necessary for compliance in the network infrastructure could become the foundation for vendors’ understanding of network providers’ challenges as well as the basis for harmonization of national requirements to communication hardware and software certification. Such recommendations could address: - user identification and access management issues, protection of service data for network management and access, - use of universal open interfaces for cryptographic protection tools interconnect in compliance with national standards, - inter-working in TCP/IP infrastructure, with the tools for harmful software and denial of service attacks counteraction. Summary

  18. ITU-T Security Workshop (Geneva, 9-10 February 2009) 5. There are a number of standards in the field of telecommunications and information security. But a standard is the real standard when it is used in real-world applications. Business and governmental bodies need to learn more about standards from their business applications rather than from a technical point of view. The ITU-T might provide leadership in preparing reports on information security standardization processes from the point of view of business applications e.g to support procurement strategies. The development of a procurement hand-book which analyzes main types of business models and main standards which support these models could be a great help to the telecom industry. Summary

  19. ITU-T Security Workshop (Geneva, 9-10 February 2009) 6. Implementations of ITU-T security Recommendations capable of being tested for conformance and interoperability. Implementations that cannot be tested, that involve extensive resources, or that require access to confidential information, are unacceptable. There needs to be some work to determine how the need for conformance and interoperability testing of implementations can be supported. Summary

  20. ITU-T Security Workshop (Geneva, 9-10 February 2009) • ITU Global Cybersecurity Agenda (GCA) http://www.itu.int/osg/csd/cybersecurity/gca/ • ITU-T Home page http://www.itu.int/ITU-T/ • Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp • e-mail: tsbsg17@itu.int • LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html • Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html • Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en • Cybersecurity Portal http://www.itu.int/cybersecurity/ • Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html • ITU-T Recommendations http://www.itu.int/ITU-T/publications/recs.html • ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml • ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html Some useful web resources

  21. ITU-T Security Workshop (Geneva, 9-10 February 2009) Thank you! Arkadiy Kremer kremer@rans.ru

More Related