ITU-T Workshop on "New challenges for
Telecommunication Security Standardizations"
(Geneva, 09-10 February 2009)
Session 5:
SDO’s security standardization, implementation and
evaluation strategy
Arkadiy Kremer
Chairman ITU-T Study
Group 17
“We have received a strong message from our members that ITU is,
and will remain the world’s pre-eminent global telecommunication
and ICT standards body. And we hear also, and very clearly, that ITU
should continue on its mission to connect the world, and that
bringing the standardization gap, by increasing developing country
participation in our work, is an essential prerequisite to achieve this
goal”.
Malcolm Johnson, TSB Director
(Closing speech at the WTSA-08)
ITU-T Security Workshop (Geneva, 9-10 February 2009)
2 of 21
How does the ITU-T work
 In ITU-T, industry and governments work together to develop
consensus-based “Recommendations”
 Work typically driven by private Sector Members
 Open (for members), transparent, bottom-up process
 Sensitive to national sovereignty: will only cover matters not
considered to be national
 Will not impose contractual terms or operating rules on
private companies
 Recommendations are not binding, but tend to be followed
because they represent true consensus
ITU-T Security Workshop (Geneva, 9-10 February 2009)
3 of 21
ITU-T security activities
 Most of the ITU-T study groups have responsibilities for
standardizing security aspects specific to their technologies (TMN
security, IPCablecom security, NGN security, Multimedia security,
etc.)
 ITU-T SG 17 is the Lead Study Group for:
• Telecommunications security
• Identity management
• Languages and description techniques
ITU-T Security Workshop (Geneva, 9-10 February 2009)
4 of 21
ITU-T SG 17 history
Study Period
Name
17/9/2001-2004
Data networks and telecommunication
software
2005-2008
Security, languages and
telecommunication software
2009-2012
Security
ITU-T Security Workshop (Geneva, 9-10 February 2009)
5 of 21
SG 17 Questions
Questions have been re-organized but all SG 17
security work from 2005-2008 Study Period will
continue
ITU-T Security Workshop (Geneva, 9-10 February 2009)
6 of 21
Proposed SG 17 structure
Working Party 1: Network and information security
• Q 1 Telecommunications systems security project
• Q 2 Security architecture and framework
• Q 3 Telecommunications information security management
• Q 4 Cybersecurity
• Q 5 Countering spam by technical means
ITU-T Security Workshop (Geneva, 9-10 February 2009)
7 of 21
Proposed SG 17 structure (cont.)
Working Party 2: Application security
• Q 6 Security aspects of ubiquitous telecommunication services
• Q 7 Secure application services
• Q 8 Telebiometrics
• Q 9 Service oriented architecture security
ITU-T Security Workshop (Geneva, 9-10 February 2009)
8 of 21
Proposed SG 17 structure (cont.)
Working party 3: Identity management and languages
• Q 10 Identity management architecture and mechanisms
• Q 11 Directory services, Directory systems, and public-key/attribute
certificates
• Q 12 Abstract Syntax Notation One (ASN.1), Object Identifiers (OIDs)
and associated registration
• Q 13 Formal languages and telecommunication software
• Q 14 Testing languages, methodologies and framework
• Q 15 Open Systems Interconnection (OSI)
ITU-T Security Workshop (Geneva, 9-10 February 2009)
9 of 21
Organization of ITU-T X-series Recommendations
(DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY)
Public data networks
X.1-X.199
`
Open Systems Interconnection
X.200-X.299
Interworking between networks
X.300-X.399
Message Handling Systems
X.400-X.499
Directory
X.500-X.599
OSI networking and system aspects
X.600-X.699
OSI management
X.700-X.799
Security
X.800-X.849
OSI applications
X.850-X.899
Open distributed processing
X.900-X.999
Telecommunication Security
X.1000-1999
Information and network security
X.1000-X.1099
Secure applications and services
X.1100-X.1199
Cyberspace security
X.1200-X.1299
Secure applications and services
X.1300-X.1399
ITU-T Security Workshop (Geneva, 9-10 February 2009)
10 of 21
Core Security Recommendations




Strong ramp-up on developing core security Recommendations in SG 17
• 14 approved in 2007
• 27 approved in 2008
• 44 under development for approval this study period
Subjects include:
 Architecture and Frameworks  Web services  Directory
 Identity management  Risk management  Cybersecurity
 Incident management  Mobile security  Countering spam
 Security management  Secure applications  Telebiometrics
 Ubiquitous Telecommunication services  SOA security
Ramping up on:
 Multicast
 Traceback
 Ubiquitous sensor networks
Collaboration with others on many items
ITU-T Security Workshop (Geneva, 9-10 February 2009)
11 of 21
Coordination
 ISO/IEC/ITU-T Strategic Advisory Group Security
Oversees standardization activities in ISO, IEC and ITU-T relevant to
security; provides advice and guidance relative to coordination of
security work; and, in particular, identifies areas where new
standardization initiatives may be warranted (portal established,
workshops conducted)
 Global Standards Collaboration
ITU and participating standards organizations exchange information on
the progress of standards development in the different regions and
collaborate in planning future standards development to gain synergy
and to reduce duplication. GSC-13 resolutions concerning security
include Cybersecurity (13/11), Identity Management (13/04), Network
aspects of identification systems (13/03), Personally Identifiable
Information protection (13/25).
ITU-T Security Workshop (Geneva, 9-10 February 2009)
12 of 21
SG 17 Security Project
 Security Coordination
• Within SG 17, with ITU-T SGs, with ITU-D and externally
• Kept others informed - TSAG, IGF, ISO/IEC/ITU-T SAG-S…
• Made presentations to workshops/seminars and to GSC
• Maintained reference information on LSG security webpage
 Security Compendium
• Includes catalogs of approved security-related
Recommendations and security definitions extracted from
approved Recommendations
 Security Standards Roadmap
• Includes searchable database of approved ICT security
standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE,
ATIS)
 ITU-T Security Manual – assisted in its development
ITU-T Security Workshop (Geneva, 9-10 February 2009)
13 of 21
Challenges
 Addressing security to enhance trust and confidence of users in
networks, applications and services
 Balance between centralized and distributed efforts on
developing security standards
 Legal and regulatory aspects of cybersecurity, spam,
identity/privacy
 Address full cycle – vulnerabilities, threats and risk analysis;
prevention; detection; response and mitigation; forensics;
learning
 Uniform definitions of security terms and definitions
 Effective cooperation and collaboration across the many bodies
doing cybersecurity work – within the ITU and with external
organizations
 Keeping ICT security database up-to-date
ITU-T Security Workshop (Geneva, 9-10 February 2009)
14 of 21
Summary
1. There are number of different languages in which are used for
security items: technical, business, legal, evaluation, law
enforcement institution, standardization. And we have only few
bodies which can organize the harmonization of these different
languages. The ITU-T might be the leader in creating such common
vocabulary for better understanding and creation of cybersecurity.
Such a vocabulary will have to align fully with the terminology used
in the existing SDO vocabularies and embrace telecom-sectorspecific security activities as well as terminology that has
established itself in the professional community. It will also have to
address evolving terminology associated with new risks, threats
and challenges.
ITU-T Security Workshop (Geneva, 9-10 February 2009)
15 of 21
Summary
2. It is necessary to assure the continued relevance of security
standards by keeping them current with rapidly-developing
telecommunications technologies and operators’ trends (in ecommerce, e-payments, e-banking, telemedicine, fraudmonitoring, fraud-management, fraud identification, digital identity
infrastructure creation, billing systems, IPTV, Video-on-demand,
grid network computing, ubiquitous networks, etc.).
3. Considerable attention has been recently given to the issue of
trust between network providers and communication
infrastructure vendors, in particular, in terms of communication
hardware and software security. Issues of how trust can be
established and/or enhanced need to be considered.
ITU-T Security Workshop (Geneva, 9-10 February 2009)
16 of 21
Summary
4. The elaboration of recommendations for the security
methodologies and procedures necessary for compliance in the
network infrastructure could become the foundation for vendors’
understanding of network providers’ challenges as well as the basis
for harmonization of national requirements to communication
hardware and software certification. Such recommendations could
address:
- user identification and access management issues, protection of
service data for network management and access,
- use of universal open interfaces for cryptographic protection tools
interconnect in compliance with national standards,
- inter-working in TCP/IP infrastructure, with the tools for harmful
software and denial of service attacks counteraction.
ITU-T Security Workshop (Geneva, 9-10 February 2009)
17 of 21
Summary
5. There are a number of standards in the field of
telecommunications and information security. But a standard is the
real standard when it is used in real-world applications. Business
and governmental bodies need to learn more about standards from
their business applications rather than from a technical point of
view. The ITU-T might provide leadership in preparing reports on
information security standardization processes from the point of
view of business applications e.g to support procurement
strategies.
The development of a procurement hand-book which analyzes
main types of business models and main standards which support
these models could be a great help to the telecom industry.
ITU-T Security Workshop (Geneva, 9-10 February 2009)
18 of 21
Summary
6. Implementations of ITU-T security Recommendations capable of
being
tested
for
conformance
and
interoperability.
Implementations that cannot be tested, that involve extensive
resources, or that require access to confidential information, are
unacceptable. There needs to be some work to determine how the
need for conformance and interoperability testing of
implementations can be supported.
ITU-T Security Workshop (Geneva, 9-10 February 2009)
19 of 21
Some useful web resources
• ITU Global Cybersecurity Agenda (GCA)
http://www.itu.int/osg/csd/cybersecurity/gca/
• ITU-T Home page http://www.itu.int/ITU-T/
• Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp
e-mail:
tsbsg17@itu.int
• LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html
• Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
• Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en
• Cybersecurity Portal http://www.itu.int/cybersecurity/
• Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html
• ITU-T Recommendations http://www.itu.int/ITU-T/publications/recs.html
• ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml
• ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html
ITU-T Security Workshop (Geneva, 9-10 February 2009)
20 of 21
Thank you!
Arkadiy Kremer
kremer@rans.ru
ITU-T Security Workshop (Geneva, 9-10 February 2009)
21 of 21