| Description:
|
1 Motivation
Recommendations ITU-T X.1141, X.1142, X.1143, X.1144, X.1145, X.1146, X.1147 provide a set of Recommendations on security tokens for authentication/authorization and security architectures for message of network services. Recommendations ITU-T X.1151, X.1152, X.1153, X.1154, X.1155, X.1156, X.1157, X.1158, X.1159 specify guidelines on secure password-based authentication with key exchange and various Trusted Third Party (TTP) services. Recommendations ITU-T X.1161, X.1162, X.1163, and X.1164 specify a comprehensive framework and mechanisms for the security of P2P services. A continued effort to maintain and enhance these security Recommendations to satisfy the needs of emerging technologies and services is required.
The telecommunications industry has been experiencing an exponential growth in TTP (Trusted Third Party) services. Security of telecommunication-based application service including social network service, P2P and TTP service is crucial for the further development of the industry. Secure application protocols play a very critical role for providing secure application service. Standardization of the best comprehensive security solutions is vital for the industry and network operators that operate in a multi-vendor international environment. It is also required to study and develop other types of secure platform, application services such as time stamping services, secure notary services, secure digital financial services such as FinTech (open banking, peer-to-peer lending, remittance, mobile wallet, insurance) services, secure OTT (Over The Top) services, and digital twin; use of security assertions as a replacement to the use of certificates in PKI based protocols and PKI application services, etc. Security technologies such as security assertion and access control assertion become very critical in communication networks.
As telecommunication and ICT are developing application services, they are facing two new horizons which need to be studied: applications are generating and processing more and more data, and to support it, artificial intelligence may be necessary. Secure application services need to be extended to cover the extensive research and market required to study the spectrum of operational and technical aspects of data protection which builds on the existing work on data analytics services.
Data is the most fundamental and important element in ICT applications and services. Data protection plays an important role for the sustainable and healthy development of ICT applications and services to mitigate the data security risks, such as data leakage, data misuse, data tempering, etc. Data protection refers to a set of management and technical measures taken to avoid unauthorized access to and use of data. Data protection technologies refer to ones that aim to protect the individuals while still allowing them to use the benefits of digital technologies, such as federated learning, data masking, data provenance, data lineage, digital watermarking, differential privacy, secure multiparty computation, use of cryptographic algorithms and other data security and privacy enhancing technologies. Data protection management measures may include data protection related organizational management systems, institutional norms, personnel management and training and etc. ICT organizations usually need to develop data protection systems that are suitable for themselves, and to adopt the most suitable and effective measures to protect data resources and use data securely based on the comprehensive analysis of the applications and services scenarios, governance, compliance, IT strategy, and risk tolerance.
AI is everywhere, and its application is rapidly expanding. The foundations of artificial intelligence (AI) / machine learning (ML) in supporting the building of confidence and security in the use of ICTs are worth studying. While the utilization of AI brings numerous benefits, it is crucial to remain vigilant about potential drawbacks. Various threats, such as AI model attack, data poisoning attack, and input manipulation attack are being identified. As when Big Data started, this creates new security interoperability issues, let alone ensuring the confidentiality, integrity, and availability issues for input training data to AI and AI output data. All of this forms a new attack surface for Artificial Intelligence that needs to be studied and developed. Again, it can build on the initial existing work on data analytics services.
Recommendations and Supplements under responsibility of this Question as of 12 September 2024: X.1141, X.1142, X.1143, X.1144, X.1145, X.1146, X.1147, X.1148, X.1149, X.1151, X.1152, X.1153, X.1154, X.1155, X.1156, X.1157, X.1158, X.1159, X.1161, X.1162, X.1163, X.1164, X.1282, X.1450, X.1451, X.1452, X.1470, X.1471, and Supplements 17, 21 and 22, 38, 39, 40, and TR.sgfdm.
Texts under development as of 12 September 2024: X.1456 (X.sgdfs-us), X.2012 (X.smdtsc), X.fr-vsasi, X.ias, X.sec-grp-mov, X.sgrtem, X.smdtf, X.srgsc, X.srgsdcs, X.srmpc, X.str-irs, X.tc-ifd, X.tg-fdma, X.vide and Technical Report TR.dpama.
2 Question
Study items to be considered include, but are not limited to:
- How should threats behind secure application services be identified and handled?
- What are the security technologies for providing secure application services?
- How should secure interconnectivity between application services be kept and maintained?
- What security techniques or protocols are needed for secure application services?
- What security techniques or protocols are needed for emerging secure application services, including service platform, digital financial services, OTT services?
- What data protection measures are needed to mitigate the data security risks in ICT applications and services?
- What are the global security solutions for secure application services and their applications?
- What are the foundations of artificial intelligence (AI) / machine learning (ML) in supporting the building of confidence and security in the use of ICTs?
- What are the security technologies to protect data in the context of AI/ML?
- How to define a strategy for protecting Artificial Intelligence attack surface?
3 Tasks
Tasks include, but are not limited to:
- In collaboration with other ITU-T Study Groups and Standards Development Organizations, especially with ISO/IEC JTC 1/SC 27, produce a comprehensive set of Recommendations for providing comprehensive security solutions for application communication services.
- Review existing Recommendations/Standards of ITU-T and ISO/IEC in the area of secure application services.
- Study further to define security aspects of secure application services and for emerging new services such as digital financial Services and OTT services.
- Study and develop security issues and threats in secure application services.
- Study and develop data security risks in ICT applications and services.
- Study and develop security mechanisms for secure application services.
- Study and develop Recommendations on the foundations of artificial intelligence (AI) / machine learning (ML) in supporting the building of confidence and security in the use of ICTs.
- Study and develop the data protection techniques in supporting the building of confidence and security in the use of ICTs.
- Study and develop strategies, a set of Recommendations and other texts for secure application services and protecting Artificial Intelligence attack surface.
- Study and develop data protection architecture, framework, models, measures for secure application services.
An up-to-date status of work under this Question is contained in the SG17 work programme at https://www.itu.int/ITU-T/workprog/wp_search.aspx?sp=18&q=7/17.
4 Relationships
Recommendations:
- X.800 series and others related to security
Questions:
- All ITU-T SG17 Questions
Study groups:
- ITU-T SG 2
- ITU-T SG 11
- ITU-T SG 13
- ITU-T SG 20
- ITU-T SG 21
Standardization bodies:
- Internet Engineering Task Force (IETF)
- European Telecommunications Standards Institute (ETSI)
- GSM Association (GSMA)
- ISO/IEC JTC 1/SC 27, ISO/IEC JTC 1/SC 42
- ISO/TC 68, ISO/TC 307
- Kantara Initiative
- Organization for the Advancement of Structured Information Standards (OASIS)
- Open Mobile Alliance (OMA)
- World Wide Web Consortium (W3C)
Other bodies:
- Council of Europe (COE)
- European Network and Information Security Agency (ENISA)
- Fast Identity Online (FIDO) Alliance
WSIS Action Lines:
- C5
Sustainable Development Goals:
- 8, 9, 11
|
