[ISN] International body adopts network security standard

From: InfoSec News (isn@private)
Date: Thu Mar 23 2006 - 01:49:32 PST


http://www.fcw.com/article92696-03-22-06-Web

By Dibya Sarkar
Mar. 22, 2006 

The International Organization for Standardization (ISO) approved last
month a comprehensive model that identifies critical requirements to
ensure end-to-end network security.

Specifically, the global standards group formally adopted ISO/IEC
18028-2, which defines a standard security architecture and provides a
systematic approach to support the planning, design and implementation
of information technology networks.

The standard is based on X.805, a framework Bell Labs created several
years ago. The International Telecommunication Union (ITU), another
standards body, adopted it before ISO.

Rati Thanawala, vice president of Bell Labs' network planning,
performance and economic analysis division, said the new ISO standard
provides a consistent methodology for assessing end-to-end network
security. She said it also provides a common language among IT network
managers, administrators, engineers and security officers to address
security with the emergence of new technologies and convergence of
networks.

The standard also allows government and private-sector officials to
perform cost-benefit analyses and better business continuity planning,
Thanawala said.

"If you did have a disaster in communications, what is the impact of
that?" she asked. "What is going to happen? It's coming at a good time
right now because right now is a very critical time for looking at
security of communications networks."

Bell Labs created the X.805 standard to ensure end-to-end
interoperability and security for communications networks. Previously,
it was an area driven by implementing devices, such as firewalls, here
and there rather than looking at the issue holistically.

Thanawala said a working group was established about four years ago
within ITU to address that issue, and it was then that Bell Labs
created the X.805 architecture framework. For example, she said, there
are not an infinite number of threats in a communications network, but
only five.

"The five threats are how you can destroy information, corrupt
information, remove information, disclose information or interrupt
information," she said. "There isn't a sixth threat. Prior to taking a
systemic approach to this, people thought there were an infinite
number of threats to networks. But when you really get good
subject-matter experts to sit down and start thinking about it, they
said there are only five threats."

Similarly, Thanawala said, there are only eight dimensions of security
that must be addressed to prevent the exploitation of vulnerabilities.  
They include privacy, availability, integrity, communications flow,
confidentiality, nonrepudiation, authentication and access control.

There are three security layers - infrastructure, services and
applications - and three security planes - management, control and
end-user - that represent the types of activities that take place on a
network.

"So, basically there are five threats, eight dimensions, three
security layers and three planes, and that's a 72-cell matrix,"  
Thanawala said. "And that is the entire way of looking at security of
any communications network. It could be the Internet. It could be the
enterprise system. It could a sole operator."

She said the standard is critical because communications is vital to
many other infrastructures, such as banking and finance,
transportation, and power.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Mar 23 2006 - 02:04:31 PST