ITU-T Perspectives on the Standards-Based Security

Landscape (SG 17 Main Focus)

www.oasis-open.org

Abbie Barbir, Ph.D.abbieb@nortel.com ITU-T Q6/17 Cybersecurity Question RapporteourOASIS IDTrust MS Steering Committe OASIS Telecom MS Co-chairOASIS TABISO JTC1 CAC SC6 Vice-ChairSenior Advisor CEA, SOA, Web Services, IdM, SecurityStrategic StandardsNortel

www.oasis-open.org

• Introduction to ITU• Security work at ITU Study Groups• SG 17 Security work• Higlight of Current Activities• Challenges

OutlineOutline

What is International Telecommunication Union (ITU) ?

Headquartered in Geneva, is the UN specialized agency for telecom

ITU-TITU-TTelecommunicationstandardization of

network and serviceaspects

ITU-DITU-DAssisting implementation

and operation oftelecommunications indeveloping countries

ITU-RITU-RRadiocommunicationstandardization and

global radio spectrummanagement

Study Group OrganizationStudy Group Organization

(TSAG)

(WTSA)(WTSA) SG 17, Security, Languages and Telecommunication Software

Lead Study Group on Telecommunication SecurityLead Study Group on Telecommunication Security

SG 2, Operational Aspects of Service Provision, Networks and Performance

SG 4, Telecommunication Management SG 5, Protection Against Electromagnetic Environment Effects SG 9, Integrated Broadband Cable Networks and Television and Sound Transmission SG 11, Signalling Requirements and Protocols SG 13, Next Generation Networks SG 15, Optical and Other Transport Network Infrastructures SG 16, Multimedia Terminals, Systems and Applications SG 19, Mobile Telecommunication Networks

Strategic Direction

Cybersecurity – one of the top priorities of the ITUCybersecurity – one of the top priorities of the ITU ITU’s role in implementing the outcomes of the World Summit on the

Information Society (WSIS) Plenipotentiary Resolution 140 (2006) Study of definitions and terminology relating to building confidence and

security in the use of information and communication technologies Plenipotentiary Resolution 149 (2006)

WTSA-04 Resolution 50, Cybersecurity – Instructs the Director of TSB to develop a plan to undertake evaluations of ITU-T “existing and evolving Recommendations, and especially signalling and communications protocol Recommendations with respect to their robustness of design and potential for exploitation by malicious parties to interfere destructively with their deployment”

WTSA-04 Resolution 52, Countering spam by technical means – Instructs relevant study groups “to develop, as a matter of urgency, technical Recommendations, including required definitions, on countering spam”

Highlights of current activities (1) ITU Global Cybersecurity Agenda (GCA)

A Framework for international cooperation in cybersecurity Five key work areas: Legal, Technical, Organisational, Capacity

Building, International Cooperation High-Level Experts (HLEG) working on global strategies

GCA/HLEG met 26 June 2008 to agree upon a set of recommendations on all five work areas for presentation to ITU Secretary-General

ISO/IEC/ITU-T Strategic Advisory Group on Security Coordinates security work and identifies areas where new

standardization initiatives may be warranted. Portal established. Workshops conducted.

Identity Management Effort jump started by IdM Focus Group which produced 6 substantial

reports (265 pages) in 9 months JCA –IdM and IdM-GSI established – main work is in SGs 17 and 13

Core security (SG 17) Covering frameworks, cybersecurity, countering spam, home

networks, mobile, web services, secure applications, telebiometrics, etc.

Work underway on additional topics including IPTV, multicast, security; risk management and incident management; traceback, Bots, Privacy,

Questionnaire issued to developing countries to ascertain their security needs

Updated security roadmap/database, compendia, manual; strengthened coordination

Security for NGN (SG 13) Y.2701: Security Requirements for NGN Release 1 Y.2702: NGN Authentication and Authorization Requirements Y.NGN SecMechanisms: NGN Security Mechanisms and

Procedures Y.NGN Certificate: NGN Certificate Management Y.AAA: Application of AAA for Network Access Control in UNI and

ANI over NGN

Highlights of current activities (2)

IdentityConnecting users with services

and with others (Federation)

At your Desk

Managed Office

Whatever you’re doing(applications)

In the Air

On the Road

Collaboration

Voice Telephony

ERP

In Town

PDA

Cellular

Smart Phone

Wherever you are(across various access types)

Whatever you’re using(devices)

At Home

Video

Web Apps

• Network Identity is essential• Need end-to-end trust model

PC

People have multiple identities, each within a specific context or domain

Work – me@company.comFamily – me@smith.familyHobby – me@icedevils.teamVolunteer – me@association.org

ChallengesAddressing security to enhance trust and confidence of users in Addressing security to enhance trust and confidence of users in

networks, applications and servicesnetworks, applications and services With global cyberspace, what are the security priorities for the ITU

with its government / private sector partnership? Need for top-down strategic direction to complement bottom-up,

contribution-driven process Balance between centralized and distributed efforts on security

standards Legal and regulatory aspects of cybersecurity, spam, identity/privacy Address full cycle – vulnerabilities, threats and risk analysis;

prevention; detection; response and mitigation; forensics; learning Marketplace acceptance of Information Security Management

System (ISMS) standards (ISO/IEC 27000-series and ITU-T X.1051) – the security equivalent to ISO 9000-series

Effective cooperation and collaboration across the many bodies doing cybersecurity work

Informal security experts network – needs commitmentThere is no “silver bullet” for CybersecurityThere is no “silver bullet” for Cybersecurity

Some useful web resources ITU-T Home page http://www.itu.int/ITU-T/ Security Roadmap

http://www.itu.int/ITU-T/studygroups/com17/ict/index.html Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en Cybersecurity Portal http://www.itu.int/cybersecurity/ Cybersecurity Gateway

http://www.itu.int/cybersecurity/gateway/index.html Recommendations http://www.itu.int/ITU-T/publications/recs.html ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-

security.html

www.oasis-open.org

BackupBackup

NGN architecture overview (Y.2012)

Transport stratum

Service stratum

ControlMedia

Man

ag

em

en

t Fu

nct

ion

s

ANI

Transport Control Functions

Resource and Admission

Control Functions

Network Attachment Control Functions

NNIUNI

Application Support Functions & Service Support Functions

Applications

Transport Functions

End-UserFunctions

OtherNetworks

Service ControlFunctions

Service UserProfiles

Transport User Profiles

NGN architecture overview (Y.2012)

Transport stratum

Service stratum

ControlMedia

Man

ag

em

en

t Fu

nct

ion

s

ANI

Transport Control Functions

Resource and Admission

Control Functions

Network Attachment Control Functions

NNIUNI

Application Support Functions & Service Support Functions

Applications

Transport Functions

End-UserFunctions

OtherNetworks

Service ControlFunctions

Service UserProfiles

Transport User Profiles

Packet-based network with QoS support and Security

Separation between Services and Transport Access can be provided using many

underlying technologies Should be reflected in policy

Decoupling of service provision from network

Support wide range of services/applications Converged services between Fixed/Mobile

Broadband capabilities with end-to-end QoS Compliant with regulatory requirements

Emergency communications, security, privacy, lawful interception

ENUM Resources, Domain Names/ Internet Addresses

NGN Security Trust Model

TrustedZone

Trusted butVulnerable

Zone

Untrusted Zone

Network Elements controlled by

the NGN provider

Network Elements not always controlled

by the NGN provider

NGNnetwork

Elements

NetworkBorder

Elements(NBE)TE-BE

TE

TE

Provider-controlled

Equipment TE-BE

TE

TE

NGN Peering Trust Model

TrustedZone

Trusted butVulnerable

Zone

UntrustedZone

NGNnetwork

Elements

DomainBorder

Elements(DBE)

NGNnetwork

Elements

DomainBorder

Elements(DBE)

Provider B fromProvider A’s point of viewProvider A