Summary and Conclusions - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Summary and Conclusions

Description:

... Authentication Research Section ... work of SC27 Internet Engineering Task Force (IETF) Kathleen Moriarty, ... Study Group 17 chairman Strategic goals of ... – PowerPoint PPT presentation

Number of Views:212
Avg rating:3.0/5.0
Slides: 38
Provided by: P587
Category:

less

Transcript and Presenter's Notes

Title: Summary and Conclusions


1
Summary and Conclusions
ITU Workshop on ICT Security Standardizationfor
Developing Countries Geneva, Switzerland, 15-16
September 2014
2
Opening session conclusions
  • Mr. Zhaoji Lin chaired the meeting and gave an
    opening speech which covered the following
    aspects
  • Introductory information and guidance
  • Defining the steering committee
  • Mission/objectives of the workshop and what we
    expect to get out from the workshop
  • Introduce/overview the sessions of the workshop.

3
Opening Session
  • Keynote speaker
  • Mr. Malcolm Johnson, ITU TSB Director
  • Thanks SG17 for organizing this WS
  • Around 90 people registered but participation are
    open to all
  • The importance of having such event
  • Participation of people from Developing Countries
    to SG17 are increasing
  • Appreciates IMPACT and ITU-D role
  • Threats are increasing (eg. SPAM)

4
Opening Session
  • Keynote speaker
  • Mr. Arkadiy Kremer, ITU-T Study Group 17 Chairman
  • Thanks TSB for their support
  • Focus on challenges in ICT infrastructure
    development
  • Main pillars for providing confidence security
  • ITU-T SG17 Standardization activities
  • Develop an effective security strategy
  • Developing countries participation in SG17

5
Outcome of Opening Session (1)
  • ITU-T SG 17 vice-chairman Mr. Zhaoji Lin chaired
    the meeting and made an opening speech which
    covered the following aspects
  • introductory information and guidance to the
    workshop including such as background of the
    workshop and facilities
  • the decision of SG17 to organize this workshop
    and the steering team of the workshop
  • mission/objectives of the workshop and what we
    expect to get out of the workshop
  • information on the security standardization
    challenges
  • highlighted the sessions of the workshop

6
Outcome of Opening Session (2)
  • two keynote speeches were presented
  • The first keynote speaker was ITU TSB Director
    Mr. Malcolm Johnson whose speech mainly focused
    on challenges of cyber threats to the world
    especially in developing countries, on spam
    threats to developing countries and WCIT-12
    efforts on encouraging Member States to cooperate
    to prevent spam, on efforts of ITU on dealing
    with these challenges, on collaboration of ITU
    with other SDOs on ICT security standardization
    activities.
  •  
  • The second keynote speaker was ITU-T SG17
    chairman Mr. Arkadiy Kremer. His speech mainly
    focused on challenges in ICT infrastructure
    development, main pillars for providing
    confidence security, ITU-T SG17 Standardization
    activities, to develop an effective security
    strategy and participation of developing
    countries in SG17.

7
Conclusion of Opening Session
  • This workshop aimed to present activities and
    achievements of standardization on cybersecurity,
    data protection, trust services and cloud
    computing, focused in methodology of securing ICT
    within critical infrastructure, heard a reaction
    from security industry, addressed the interests
    and needs of users, and encouraged collaboration
    between SDOs in security standardization for the
    special needs of developing countries.
  • International standards are tools offering
    exactly technical, procedural, and administrative
    defense that are internationally applicable.
  • ITU-T, specifically ITU-T SG17 made great efforts
    to bridge the standardization gap between the
    developed countries and developing countries to
    build the confidence and security in the use of
    ICTs.

8
Session 1 conclusions
  • Although Zambia like most developing countries
    has limited capacity in addressing security
    challenges, reasonable progress has been achieved
    in putting in place the necessary institutional
    framework.
  • New security approaches are required in order to
    enable large scale deployment of IoT systems.

9
Session 1 conclusions (cntd)
  • SG 17 should consider organizing a special
    session to address security challenges related to
    mobile financial services.
  • Strong collaboration between ITU and UPU on
    security is vital especially in areas such as
    secure e-mail and financial transactions.

10
Session 1 conclusions (cntd)
  • SG17 and IEC/TC57/WG15 should cooperate and share
    expertise on smart-grid security.
  • Security should be embedded in the system design
    in order to lower operational costs.

11
Session 2 conclusions
  • To identify key topics/requirements for ICT
    security (through presentations)
  • Need of stepping up Authentication capabilities
    for mobile on-line trust
  • Use of light weight crypto for connected cars
    and ITS security
  • Critical Infra Security Energy sector
  • Need for interoperability of secure enterprise
    mobility across providers
  • Identity Based Attestation and Open Exchange
    Protocol (IBOPS)
  • Big Data (BD) security and privacy

12
Session 2 conclusionsOutput on Objective-2(cont.)
  • To explore the way to develop security standards
    in ITU-T (through the Round Table)
  • The authentication landscape is changing rapidly,
    and the ID-ecosystem is also changing. A new use
    case (requirement) is authentication/identificatio
    n on demand. The work of the FIDO Alliance and
    OASIS TC IBOPS is to be looked at and
    collaboration is suggested.
  • There is a need for a minimum level of security
    in the area of ITS and IoT environments. ISO/IEC
    JTC 1/SC27/WG2 is standardizing light-weight
    crypto and is seeking collaboration in terms of
    how to use such crypto.
  • Critical infrastructures are to be looked at.
    There is room for cooperation and standardization
    between military and civil. Government need
    standards on electronic signatures and e-IDs.
    ITU-T should consider standardization cooperation
    with European bodies (like ENISA).

13
Session 2 conclusionsOutput on Objective-3(cont.)
  • To explore the way to develop security standards
    in ITU-T (through the Round Table)
  • ISO/IEC JTC 1/SC27 is doing work in data
    management and governance, and on secure data
    storage, also on data discovery, which are
    subject to standardization. Real-time security
    analytics for data management should be
    considered. ISO is doing a gap analysis on big
    data there is an opportunity for collaboration
    with ITU-T (SG17).
  • TC 215 has developed several health informatics
    standards on such as on information governance,
    policy management etc., and to potentially work
    with ITU-T.

14
Session 2 conclusionsOutput on Objective-4(cont.)
  • Summary
  • Mobile security (Authentication) - FIDO Alliance
    and OASIS TC IBOPS
  • Utilization of light weight crypto for ITS IoT
    ISO/IEC JTC1/SC27 and others
  • Critical infrastructures - European bodies (like
    ENISA)
  • Big Data security PII - ISO/IEC JTC1/SC27
  • Health informatics - TC215

15
Session 3 conclusions
  • Make standards less complex and more applicable
  • Create standards for the needs
  • Collaboration is the key
  • Standardization is very important to be in the
    same track
  • Sharing known vulnerabilities and threats make
    significant difference
  • Data protection becomes more important with the
    online services

16
Session 3 conclusions
  • Operational experience and demand from the field
    are very important
  • ITU-D is a great opportunity for creating widely
    using standards by developing countries
  • Start a joint project with ITU-D to enhance the
    business use of standards

17
Session 3 conclusions
  • It will be very beneficial if the experts help
    countries to implement the standards
  • Encourage governments, organizastions, companies,
    and academia to participate

18
Session 4 conclusionsSummary 1/3
  • Session 4 discussed ICT role in critical
    infrastructure protection under 3 different
    perspectives, as follows
  • Frameworks and international collaborationMr
    Koyabe presented Critical Information
    Infrastructure Protection (CIIP) Commonwealth
    Perspective, with insights on a cybergovernance
    model adopted by those countries, and Mr McCrum
    presented Toward a partnership-based framework
    for establishing secure ICT infrastructure in
    developing countries, with proposals on
    regulatory measures, ITU role and mutual
    recognition agreements (MRA)

19
Session 4 conclusionsSummary 2/3
  • Standardization issues on CIIPMr. Zolotnikov
    presented Critical infrastructure protection
    standardization to protect critical
    infrastructure objects, with some key principles
    of secured system development to be standardized,
    including industrial control systems (ICS), and
    Mr. Strunge presented Security by Design in
    Smart Grids A Need to Rethink ICT in Power
    System Controls, including proposals
    on automated certificate handling, whitelists,
    and multiple associated parallel PKI

20
Session 4 conclusionsSummary 3/3
  • Role of ICT and sector regulatorsMr. Alsamhan
    presented ICT Regulator Role on National
    Security and Critical Infrastructure Protection,
    with Saudi Arabia experiences on CIP, national
    CERT deployment, and security enforcement
    measures, and Mr. Guimaraes presented Critical
    telecommunication infrastructure protection in
    Brazil with insights on legislation,
    methodologies and an information system under
    development (SIEC).
  • These perspectives were further developed during
    the final discussion panel. Some aspects
    discussed in Session 4 could be interesting to
    ITU-T Qs 2/17, Q4/17, 6/17, 7/17 and 11/17.
  • In particular, ITU-D Q3/2 was highly interested
    on Mr. Koyabes presentation.

21
Session 5 summary(1/3)
  • This session consists of 5 presentations
  • Cloud security standardization activities in
    ITU-T Huirong Tian, China
  • presenting major deliverables and activities of
    ITU-T FG on cloud computing and various existing
    work by ITU-T SG17 as well as SG13, especially
    for approved Recommendation ITU-T X.1601,
    security framework for cloud computing.
  • ITU-T SG17 Identity management (IdM) Progress
    Report Abbie Barbir, ITU-T Q10/17 Rapporteur
  • presenting mission and major coordinated
    activities of ITU-T SG17 Question 10 with other
    SDOs as well as current state, drivers for the
    future direction, need for better identity
    assurance and trust framework, future focus in
    the identity management area.
  • X.509 in a changing world Erik Andersen, Denmark
  • presenting ITU-T X.509, definition and role of
    PKI, changing environment for use of PKI such as
    cloud, mobile, M2M, and smart grid, future of
    Recommendation ITU-T X.509.   

22
Session 5 summary(2/3)
  • National ID management system in Korea Daeseon
    Choi, Electronics and Telecommunications Research
    Institute, Authentication Research Section
    /Leader
  • presenting national initiative on identity
    management system, including issues around
    national identifier, online and offline identity
    proofing, various authentication technologies
    such as PKI, SSO and attribute sharing, and
    future direction of Korean IDM.  
  • Introduction to ISO 29003 - Identity Proofing
    Patrick Curry, British Business Federation
    Authority ( SC27 WG5)
  • Presenting ISO/IEC 29003 Identity Proofing such
    as a need and definition for identity proofing,
    key players around identity proofing, changing
    factors that needs to be considered, and role of
    international standard.

23
Session 5 summary(3/3)
  • The session has a roundtable discussion
  • 6 panelist including five speakers and Frederic
    Gittler from Cloud Security Alliance are invited
    to the roundtable discussion which is devoted to
    identify potential future topic which SG 17 needs
    to consider, especially to answer the following
    questions.
  • What are current major activities that other
    (standard) organizations are carrying out, which
    ITU-T SG17 needs to consider?
  • What is your view about the gap of current
    standard activities of ITU-T SG17 in these areas?
  • What is your perspectives about the future
    direction for ITU-T SG17 standardization
    activities in the areas of cloud and identity
    management, considering the future ICT
    environments, such as one supporting super-highly
    connected society?

24
Session 5 conclusionsMajor findings and future
directions
  • Suggested topics for future study in the cloud
    security area
  • trust models, security controls, best practices,
    etc.
  • Topics carried out by CSA for SG17
  • Cloud security and privacy
  • Virtualization security
  • Governance and assurance
  • Incident management and digital forensics, etc.
  • Three key success factors for coordination
    between SOOs provided by CSA in the cloud
    security
  • Avoiding duplication/coordination,
  • Having certification with maturity models,
  • Ease of use and accessibility.
  • Suggested topics for future study in the identity
    management area
  • Business and Privacy Guidelines,
  • Interoperable Products Services,
  • Identity Assurance Framework Assessors for
    better Identity assurance and trust frameworks

25
Session 5 conclusionsMajor findings and future
directions
  • There is a need for
  • updating Rec. ITU-T X.509, considering new
    factors and meeting new requirements in the new
    ICT environment such as smart grid.
  • developing guideline/implementation guides for
    PKI deployment for developing countries by SG 17
    and investigating national level initiatives on
    PKI deployment and usage, online and offline or
    combined identity proofing and various
    authentication methods as best practices for use
    or deployment by the developing countries.
  • the International Standard to address the
    in-person proofing, which is very fundamental
    process for the secure e-ID system and developing
    it by SC27 WG 5, possibly in cooperation with
    ITU-T SG17.

26
Session 6Security Standardization Challenges
  • Objectives
  • To better understand the role of ICT security
    standardization
  • A set of short presentations that highlight ICT
    security standardization efforts in 8
    international and regional bodies
  • To explore ICT security standardization
    challenges
  • An open roundtable discussion on challenges
    including collaboration and meeting user needs,
    especially those from developing countries

27
Session 6 Presentations
  • International Organization for Standardization
    (ISO)
  • Walter Fumy, ISO/IEC JTC 1/SC27 chairman
  • Overview of security work in ISO new ISO TC 292,
    Security work of SC27
  • Internet Engineering Task Force (IETF)
  • Kathleen Moriarty, Security Area director
  • IETF security working groups, emerging work
    areas, fellowships, policy programme

28
Session 6 Presentations
  • European Telecommunications Standards Institute
    (ETSI)
  • Charles Brookson, ETSI TC CYBER chairman
  • Work of TC CYBER, cyber security coordination
    group recommendations, ETSI security activities
  • Cloud Security Alliance (CSA)
  • Frederic Gittler, HP
  • Cloud computing and mobility as a unique
    opportunity for developing countries

29
Session 6 Presentations
  • FIRST (an international confederation of trusted
    computer incident response teams)
  • Damir Rajnovic, member of board of directors
  • Common issues when trying to implement
    international standards in a national environment
  • Organization for the Advancement of structured
    information standards (OASIS)
  • Carol Cosgrove-Sacks, senior advisor
  • Securing the digital frontier the need for
    robust cyber security standards

30
Session 6 Presentations
  • Regional Asia Information Security Exchange Forum
    (RAISE Forum)
  • Koji Nakao, co-chairman
  • Challenges, objectives, current focus, projects
  • International Telecommunications Union
    Telecommunications Standardization Sector (ITU-T)
  • Arkadiy Kremer, Study Group 17 chairman
  • Strategic goals of ITU-T SG17s efforts in
    security standardization, supporting developing
    countries, and cooperation with other bodies

31
Session 6 Roundtable
  • What do you see as the key challenges for ICT
    security standardization?
  • What do you see as the benefits and challenges of
    cooperation and collaboration among standards
    setting organizations?
  • How do you ensure standards you develop will meet
    the needs of users, especially those in
    developing countries?
  • What is the SDOs role in implementation of
    standards?

32
Session 6Roundtable Results
  • Reinforced continuing need for collaboration
  • Establish collaboration with ETSI TC Cyber
  • Revisit/update security standards roadmap
  • Need for constant feedback into standardization
    process
  • Bridge gap between technology and users (e.g.,
    password problem) make standards simple to use

33
Session 6Roundtable Results
  • Need ramp-up documents to support complex
    standards
  • Employ innovative arrangements that facilitate
    new participants
  • Essential to encourage/facilitate organizations
    in developing countries to be engaged in
    standards development
  • Essential to encourage/facilitate developing
    countries to take the best of standards/best
    practices, as ICT security standards are
    essential to all

34
Provisional follow-up actions in
response to key conclusions
35
  • Promote cooperation and collaboration essential
    to combating cybersecurity challenges (e.g.
    CIRTs), and recognize existing work of other SDOs
  • Promote common policies and enforcement
    mechanisms recognizing the trans-border nature of
    cyber attacks
  • Promote Mutual Recognition Agreements and
    conformance and interoperability (CI) testing
  • Encourage developing countries to provide their
    requirements to international standardization
    work
  • Fast-track successful standards from other
    standards bodies through the ITU-T approval
    process to give them international status

36
  • Organise a dedicated meeting to address financial
    inclusion security issues
  • Consider New ITU-T work item on Big Data security
  • Investigate Critical Information Infrastructure
    Protection (CIIP) and Critical Information
    Protection (CIP)
  • Evolution of ITU-T X.509
  • Establish educational capacity-building project
    on X.509 certificates and the broader public-key
    infrastructure (PKI)
  • Ensure that the final product of X.509rev is
    future-proofed for the evolving scenarios and
    sectors of application
  • Liaise closely with other SDOs in particular IETF

37
  • Consider new joint ITU-UPU project Secure
    e-mail, active monitoring, PostID, federated
    identity ecosystem, trust frameworks, two-factor
    authentication, secure cloud services, and joint
    standardization of UPU S64 postal identity
    management
  • ITU-T Study Group 17 to consider the outputs and
    conclusions of each session
  • Other ITU-T study groups and ITU-D Study Group 2
    to be informed of the Workshop outputs and
    conclusions
  • ITU-T and ITU-D to increase collaboration on
    capacity building on security standards
Write a Comment
User Comments (0)
About PowerShow.com