This part of the Roadmap is intended to capture possible future areas of security standards work where gaps or needs have been identified as well as areas where proposals have been made for specific new standards work.

Contributions are invited on items relevant to this topic – please see section 4.  

This part of the Roadmap consists of four sections: Current new work proposals and topics under study;  Areas where gaps in the security standards have been identified; Additional suggestions on future needs for security standards;  and Feedback

1. Current new work proposals and topics under study

1.1 ITU-T

At the December 2010 meeting of ITU-T, the following new work item proposals were accepted  for the current Study Period  (2009-2012):

Proposed by Q2 (Security architecture and framework)

• X.rev “Architectural systems for security controls for preventing fraudulent activities in public carrier networks” (by Question 2/17).
• X.nsc “National IP-based Public Networks Security Center for Developing Countries” (by Question 2/17)

Proposed by Q3 (Telecommunications information security management)

• X.rmsm “Information security management reference model for small and medium-sized telecommunication organizations” (in Question 3/17)

Proposed by Q4 (Cybersecurity)

• X.sip-cyber “Security guideline for countering cyber attacks on SIP-based Services” (in Question 4/17)
• X.ssaf “Security standards availability framework” (in Question 4/17)

Proposed by Q6 (Security aspects of ubiquitous telecommunication services)

• X.unsec “Security requirement and framework of ubiquitous networking” (in Question 6/17)

Proposed by Q8 (Service oriented architecture security)

• X.fsspvn “Framework of the Secure Service Platform for Virtual Network” focuses on general service for establishing and managing a virtual network (jointly between Question 7/17 and Question 8/17).

Proposed by Q9 (Telebiometrics)

• X.bhsm “Telebiometric authentication framework using biometric hardware security module” (in Question 9/17).
• X.1086 Amendment 2 “Protection procedure for telebiometrics information from video surveillance system”

Proposed by Q11 (Directory services, Directory systems, and public-key/attribute certificates)

• F.5xx “Directory support of RFID identification applications” (in Question 11/17).

Proposed jointly by Q4 and Q10 (Cybersecurity and Identity management architecture and mechanisms)

• X.idmcc “Requirement of IdM in cloud computing” on identity in the cloud as it relates to CYBEX. This new work item would put more focus on the harmonization of the telcos services in the cloud computing environment (jointly between Question 10/17 and question 4/17).

1.2 ISO/IEC JTC1 SC27

The following New Proposals are included in the SC27 program of work:

• ISO/IEC NP 27016: Information security management -- Organizational economics (Technical Report)
• ISO/IEC NP 27033-5, Network security - Part 5: Securing communications across networks using Virtual Private Networks (VPNs) - Threats, design techniques and control issues (revision of ISO/IEC 18028-5:2006)
• ISO/IEC NP 27033-6, Network security - Part 6: Wireless - Threats, design techniques and control issues
• ISO/IEC NP 27034-3, Application security - Part 3: Application security management process
• ISO/IEC NP 27034-4, Application security - Part 4: Application security validation
• ISO/IEC NP 27034-5, Application security - Part 5: Protocols and application security controls data structure
• ISO/IEC NP 27038, Specification for digital redaction
• ISO/IEC NP 30104, Physical security attacks, mitigation techniques and security requirements (Technical Specification)

In addition Study Periods have been established in SC 27 on the following topics:

WG 1

• Study Period Taxonomy for ISO/IEC 27001 & 27002
• Study Period - Cloud computing security and privacy

WG 2

• Identity-based cryptosystems and certificateless cryptosystems
• Russian block cipher GOST
• Blind signature schemes
• Criteria for the standardization of encryption algorithms.

WG 3

• Study Period on System evaluation

WG 4

• Cloud computing security and privacy
• Storage Security
• Digital Evidence Readiness and Analysis*
• Digital Evidence Verification and Validation*
• WG 4 Vocabulary and Terminology
• Incident Management, Operation and Response

WG 5

• Harmonized SC 27/WG 5 Vocabulary
• Cloud computing security and privacy

2. Areas where gaps in security standards have been identified

2.1 Gaps identified by ENISA

The ENISA report Gaps in standardization related to resilience of communication networks makes the  following recommendations for future standardisation activities:

1.     Work items should be actively promoted in the SDOs (e.g. through a mandate) to support the specification of metrics and supporting test and validation criteria to be used in the assessment of resilience (derived, where possible, from existing metrics used in the assessment of reliability and failure analysis);

2.     Work items should be actively promoted in the SDOs (e.g. through the means of a mandate) to support the development of a taxonomy for resilience;

3.     As a very large part of system resilience is enabled by features and capabilities not covered by the conventional telecommunications SDOs, those SDOs should be encouraged to build links from their work to the output of bodies dealing with those ancillary features (e.g. power, heat, light, flood control, environmental control, and access, i.e. transport links to get maintenance staff to site for repairs);

4.     Add ‘resilience’ as a ‘keyword’ in classifying standards in the SDOs;

5.     Update the procedures of SDOs in approving work items to address how resilience will be achieved, e.g. if a system implemented using the present document fails, how will the system be maintained (i.e. what measures are offered in support of resilience by this standardisation effort).

In addition, the report identifies a number of detailed areas where the SDOs are expected to work in order to facilitate greater assurance of resilience in networks.

2.2 Needs identified by 2010 ITU-T security workshop

The ITU Workshop on Addressing security challenges on a global scale held in Geneva on 6^th and 7^th December, 2010 produced the following observations regarding standardization gaps and needs:

• Trusted identities and privacy: Trusted identities and consumer control of personal information are essential to the effectiveness of transactions on the Internet. Trusted frameworks that provide identity assurance are a critical factor in the success of the digital identity ecosystem. However, unlike the information security discipline with which it is closely tied, there are no standards-based operational models enabling the development of privacy-compliant technical architectures.
• Cloud computing: Cloud computing is a double-edged sword from the security standpoint. Despite its potential to provide a low-cost security, individuals and organizations may increase risks by storing sensitive data in the cloud. Nevertheless, cloud computing-based services have rapidly developed but their security aspects are still at the initial stage of development. The ITU-T FG could provide an initial document for discussion on Cloud Security by the middle of Feb. 2011. The document should be shared among other SDOs as well as SGs in ITU-T in order to jointly and collaboratively investigate targets study issues for Cloud Security Standardization.

• global protocol platforms: common global protocol platforms for the trusted exchange of information are essential.

• Vendor neutral security management and measurement: To support organizational discipline and accountability objectives while enabling innovation and flexibility, the security industry needs to move to a vendor neutral security management and measurement strategy that is agnostic to the specific solution providers while also flexible enough to work with several different solutions simultaneously.
• Comprehensive standards framework for Health IT: It is time to develop a comprehensive standards framework for Health IT based in the collaborative work of IT research institutions, governmental and private health institutions and physicians involved in Health IT practices in both urban and rural locations.
• Remote medical systems vulnerabilities: Security technologies are required to protect remote medical systems vulnerabilities, while effectively safeguarding it against external attacks and personal privacy should be assured.
• User authentication and service aspects of telemedicine: To provide stable biometric telemedicine and telehealth services, user authentication and service aspects should be considered.
• Security and privacy of biometric systems: Appropriate countermeasures to safeguard the security of a biometric system and the privacy of its data subjects are essential.
• Critical ICT security gaps, standardization priorities :

  o Educating people of the importance of security for their work;

  o Helping others to incorporate security in their work.

  o Solving scalability issues;

  o Building in extensibility in protocols so that they can evolve without breaking to counter new threats;

  o Extending security work to wireless;

  o Addressing human factors, probably the weakest link

2.3 Needs identified at 2009 ETSI security workshop

A panel discussion on priorities for future security standardization at the 2009 ETSI security workshop provided some indications of areas that need to be addressed by standards developers. The following conclusions are extracted from the workshop report. The complete report is available at:   ETSI 2009 Security Workshop Report.

Prioritization

It was stressed that it is very important for standardization bodies to perform a careful assessment of the need and uses for each proposed standard before embarking upon development in order to justify the utilization of resources. E.g. is the need for a specific standard supported across a broad community of interest? Is there a real demand for the standard and technology it covers? What constituency is the standard intended to serve? Who will use it? Are the resources available to develop the standard and will those resources constitute a representative cross section of the community of interest? (E.g. there is usually little point in developing a standard if only one or two organizations are sufficiently interested to commit resources to it).

The clear feeling is that this is an area where improvement is needed for standardization bodies that need to match standard development plans with adoption prospects, and efforts should be coordinated among bodies in order to prioritize standardization work and avoid duplication of efforts.

Topics on which ICT security standardization should focus include areas where systems interconnect or interact including networked critical infrastructures, public safety communications and areas that include the electronic storage or exchange of personal information.

Standardization should not be viewed in isolation but rather as part of a process that includes research, development, implementation and maintenance. And, there needs to be more flexibility in the standardization processes (e.g. by using special interest groups to develop and promote ideas and concepts).

In addition, it was suggested that key elements and interfaces should be standardized but standards should not be so prescriptive as to eliminate choice in implementations. Standards should reduce the selection factor, not eliminate it completely, so that implementers are able to exercise creativity while designing products that meet the standard and users are able to choose the best implementation to fit their needs.

Privacy

The discussion indicated that standards currently suffer from insufficient attention to the issue of privacy. For example, while the work done so far on identity management is beginning to address some of the issues of managing personally identifiable information, it does not yet address the broader implications for the privacy of the citizen. (There is much more to privacy than personally identifiable information, for example, potential for tracking without identification or re-identification of individuals through the aggregation and analysis of multiple resources). There is considerable potential for information to be collected inappropriately or unnecessarily. In such a scenario, with, for example, identity brokers/providers handling information to serve diverse needs and interests, aggregation becomes a major threat. Identity brokers holding large amounts of private information could become prime targets for attacks, and such information may be held in jurisdictions that are beyond the reach of existing privacy legislation.

At the same time it was pointed out that many people do not pay enough attention to their own privacy e.g. by providing personal information too freely and without considering how it will be used. Nevertheless, information collected is, in many countries, covered by privacy laws and regulations. Governments should continue to  adopt measures to protect the privacy of their citizens, as the average user cannot realistically be considered to have the technical knowledge and expertise to manage his/her own privacy effectively.

ICT standardization needs to tackle these issues, firstly by clearly recognizing the need to address privacy aspects, and then by embedding them into standards from the very beginning. Privacy must be built in to standards, not regarded as an afterthought.

Although several groups/bodies are working on aspects of privacy, which makes the entire subject matter less “manageable”, it was observed that it is unrealistic, and probably not advisable, to try to centralize privacy efforts within any one standardization body. Attempting to do so could create conflicts of interest and lead to recommendations that are too broad to be actionable

Evaluation

A strong need for metrics in IT security and related standards was recognized. The decision to develop some standards but not others should not be based on their “attractiveness” or on the degree of interest of the subject matter experts, but on measurable criteria which would establish cost-effective methods to evaluate final products in the implementation phase. This would provide more reliable means for organisations to build their business cases to participate in the development of security standards and to promote their use on the market. In addition there needs to be some follow-up or review after a standard has been developed to assess whether it has met the original objectives, whether it is actually being used to the extent anticipated and, if not, why not.

A way forward could be to establish a consortium of stakeholders, users and standardization bodies to work towards the creation of a seal of approval for products, services and processes that meet predefined criteria. Security standards developed according to the criteria could permit the implementers to apply such seal to their products.

The evaluation of the effectiveness of security standards needs to be based ultimately on the effectiveness of security measures in the implemented products using the standards. This implies the need to enhance testing efforts in terms of standards conformity and interoperability.

It is recognized that the area of ICT security standards metrics/evaluation is an open issue which needs much additional research by standardization bodies and stakeholders.

3. Additional suggestions on future needs for security standards

A number of suggestions have been submitted by individuals. These have not yet been collectively discussed but will be considered during a future SG 17 examination of proposed new areas of work.

Availability/reliability/resilience

Almost no work has been done so far on availability/reliance/resilience for any layer above the Transport layer. There is a huge need for these topics to be addressed, particularly for the network infrastructure but also for applications and services.

IPv6 security

ITU-T seems to have given little consideration so far to IPv6 security even though members have expressed a strong interest in IPv6. SG 17 might take a closer look at what has been done in other SDOs (particularly IETF) to identify gaps that might be addressed by future SG 17 work.

DNS security

Although DNS is now in the implementation and deployment phase, there is a need for the development of best practices and guidance. In addition, the area of key management for DNS is a possible candidate for standardization.

Miscellaneous suggestions

• Child protection: is there a role for security standardization to help address this problem?
• Privacy enhancing technologies and privacy best practices and the linkage between security standards and privacy.
• Trust and security assurance – there is a need for frameworks and methodology standards
• Security in the cloud generally and, more specifically, IdM for cloud environments
• Security for the smart grid – there is a need to bridge the telecom view of  ICT with that of new sectors
• Practical access control standards for areas where XACML is too heavyweight
• PKI – can it be made simpler and more user-friendly?
• Security terminology – developing a common language of security terms.

4. Provide feedback on future needs and proposed new security standards

Comments and suggestions are invited on areas where future standards are believed to be needed or where study is indicated. Comments are also invited on all aspects of this work, including the current new work proposals and topics under study. Where feedback relates to an existing comment or suggestion, the reference number of the particular comment or suggestion should be specified.

To provide comments please go to: Roadmap Part 4 Feedback