|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
The Green Book
Date: Mon, 30 Aug 1993 19:44:46 +0059
From: Roland Hueber <100013.1437@CompuServe.COM>
Subject: Green Book, Draft 3.6
Message-Id: <930830174446_100013.1437_BHB54-1@CompuServe.COM>
Draft 3.6
Green Book on the Security of Information Systems - Draft 3.6
Table of Contents
1. Preface 1
2. Introduction 3
3. Scope 5
4. General issues 6
4.1. Globalisation of the economy and mobility 6
4.2. Internal Market ("four freedoms") 6
4.3. Human Rights and the protection of communications 7
4.4. Social acceptance of identification methods 8
4.5. Human Rights and the safety of systems 9
4.6. Management of openness and protection 10
4.7. Common concerns of commercial and national security 11
4.8. Security and law enforcement on international scale 12
4.9. Economics of the security of information systems 12
4.10. Social recognition of information crime 13
4.11. Safety critical environments 14
4.12. Embedded systems 15
5. Demand related issues 16
5.1. Agreement on security requirements for enterprises 16
5.2. Agreement on security requirements for individual users 17
5.3. Security objectives for enterprises 18
5.4. Sectoral specifics 19
5.5. Security methodologies 19
5.6. Security domains 20
5.7. Data labelling 21
5.8. Access control and authenticity issues 22
5.8.1. Access control 22
5.8.2. The individual right to signature 23
5.8.3. Consistency of legal principles 24
5.8.4. Signature schemes 25
5.8.5. Key usage 26
5.8.6. Universal acceptance 27
5.8.7. Security of electronically stored information 27
5.9. Privacy enhancement issues 28
5.9.1. Perception of requirements for privacy enhancement 28
5.9.2. The case for the provision of public confidentiality
services 30
5.9.3. Interworking of autonomous confidentially services 32
5.10. Motivation to acquire evaluated solutions 32
5.11. Consistency of procurement practices 33
5.12. Information Valuation 34
6. Supply related issues 35
6.1. Supply related Issues - Trusted Third Parties 35
6.1.1. Role of Trusted Third Parties 35
6.1.2. Operating principles of TTP 37
6.1.3. Accreditation and audit of TTPs 38
6.1.4. Use of names and certification of credentials 38
6.1.5. Key management service 40
6.1.6. Management Services for Names and Credentials 42
6.1.7. Legal services 43
6.1.8. Guaranteed date and time stamping 44
6.1.9. Negotiable document transaction 45
6.2. Supply related issues - Evaluation of trusted solutions 47
6.2.1. Perceived Requirements for trusted solutions 47
6.2.2. International harmonisation and mutual recognition 47
6.2.3. Vendor declarations 49
6.2.4. Evaluation of applications 49
6.2.5. Evaluation of communication services 49
6.2.6. Trusted network management 51
6.2.7. Modifications to evaluated products and re-evaluation 52
6.2.8. Performance reporting for trusted products 53
6.2.9. Rationalisation of evaluations 53
6.3. Supply related issues - technological change 55
7. Liability related issues (Consequences of Security
and Safety Incidents) 57
7.1. Framework for international law relating to IS 57
7.2. Legal provisions for liability in global services 57
7.3. Insurance issues 57
7.4. Monitoring of compliance 58
7.5. Metrics for loss assessment 58
8. Spectrum of Measures 60
8.1. Common Framework and Consensus 60
8.2. Awareness, education and training 61
8.3. Agreements 62
8.4. Common Practices and Codes of Conduct 63
8.5. Specifications 65
8.6. Standards 66
8.7. Products and Services 67
8.8. Technology 68
8.9. Regulation and Legislation 70
8.10. Accreditation 72
8.10.1. Accreditation of Services 72
8.10.2. Accreditation of TTPs 72
Annex: Recalling the Action Lines from the Council mandate 73
Action line I - Development of a strategic framework
for the security of information systems 73
Action line II - Identification of user and service
provider requirements for the security of information 74
Action Line III - Solutions for immediate and interim
needs of users, suppliers and service providers 74
Action line IV - Development of specifications,
standardisation, evaluation and certification in
respect of the security of information systems 75
Action line V - Technological and operational
developments in the security of information systems 76
Action line VI - Provision of security of information
systems 77
Draft 3.6/Version: July 14, 1993
1. Preface
The Council adopted in May 1992 a Decision in the field of the security
of information systems comprising the development of overall strategies
for the security of information systems (action plan) and setting up a
Senior Officials Group (SOG-IS) to advise the Commission on action to
be undertaken. The action plan having as objective the development of
overall strategies aiming to provide users and producers of
electronically stored, processed or transmitted information with
appropriate protection of information systems against accidental or
deliberate threats.
The scope of the Decision foresees the following lines of action:
I. Development of a strategic framework for the security of
information systems
II. Identification of user and service provider requirements for
the security of information systems
III. Solutions for immediate and interim needs of users, suppliers
and service providers
IV. Development of specifications, standardisation, evaluation, and
certification in respect of the security of information systems;
V. Technological and operational developments in the security of
information systems; and
VI. Provision of security of information systems.
The action plan is implemented by the Commission, in close association
with related actions in Member States and in conjunction with related
Community research and development actions.
As a step towards the formulation of the "Action Plan" identified in
the Council Decision and in accordance with the opinion of SOG-IS a
"Green Book on the Security of Information Systems" is being prepared,
which addresses, in accordance with the Annex of the Decision, an
overall view of the issues involved, and the spectrum of measures that
result from an analysis of the issues.
The present document sets out the background to the development of a
consistent approach to Information Security in Europe taking into
account common interests with other countries.
The intention of the Commission Services in preparing the present
document is to encourage a better understanding with the sector actors
in the Community on Information Security issues and to develop a
consensus on the requirements to be considered. It therefore does not
necessarily represent the views of the Commission Services, or of the
Senior Officials Group for Information Security, on the subject, but
rather provides a basis for reflection and concertation with sector
actors and Member States.
The "Green Book" represents an intermediate step towards the
formulation of the Action Plan foreseen in the Council Decision. It is
to state the main issues related to the security of information systems
in its context. A deliberate effort has been made to present the
subject matter in as objective a fashion as possible. By progressively
widening the consultation in the preparation of the document the wish
is, to obtain a representative and balanced view of the issues and the
nature and implications of the options for action one may wish to
consider. In its presentation the document is intentionally avoiding to
voice an opinion on the framework or organisation which might be
adopted to address a given issue or requirement. Such recommendations
are to be included in the Action Plan.
Note on Draft 3
The preparation of the document includes four successive phases
including iterative steps in the preparation of the document:
Phase I: Preparation of an Outline and Collection of material
Phase II: Drafting
Phase III: Informal Consultation
Phase IV: Formal Consultation
In its present form it relates to the result of Phase II of the
preparation of the Green Book.
The present draft document is the result of numerous contributions
received from experts, working in the framework of IBAG, SRI, the
Security Investigations and SOG-IS members (over 60 contributions
received). To develop the thinking on specific groups of issues, the
Advisory Group reinforced by other experts were consulted and
contributed to the development of the document:
G. Axelsson
F. Iribarne Navarro
F. Piau
C. Blatchford
C. Jansen
E. Pimentel Saraiva
L. Cabirol
M. Jones
R. Pizer
D. Cerny
M. King
K. Presttun
B. Collins
S. Kowalski
M. Purser
M. De Soete
H. Kurth
K. Rihaczek
A. Eriksen
P. Landrock
G. Roelofsen
S. Geyres
O. Leiberich
R. Rueppel
A. Hallan
R. Moses
G. Ruggiu
G. Hardy
P. MAller
M. Tuset
S. Herda
A. Parondo
P. van Dijken
E. Humphreys
A. Peralta
D. Willis
Their contribution and valuable advise is gratefully acknowledged.
2. Introduction
Individual, corporate and national wealth is increasingly in the form
of information. The growth and performance of an estimated 2/3 of the
economy relies on manufacturing or services heavily dependent on
information technology, telecommunications and broadcasting, and
therefore depends critically on the accuracy, security and
trustworthiness of information. This is of as great importance and
interest for individuals as for commerce, industry and public
administrations. Correspondingly, the protection of information in all
its aspects, here referred to as Information Security , has become a
central policy issue and a major concern world-wide.
The Council Decision of March 31, 1992 in the field of information
systems recognises this situation and calls for the "development of
strategies to enable the free movement of information within the single
market while ensuring the security of the use of information systems
throughout the Community".
A consistent approach at European level could help to promote the
interoperability of systems, lower existing barriers and avoid the
formation of new ones between the individual Member States and with
other countries Therefore, there is an urgent need to address
requirements and options for action in the field of security of
information systems at national, Community and international level in
close collaboration with sector actors and national governments. Any
action must take into account both national and international
commercial, legal and technical developments.
The key issue is to provide effective and practical security for
information held in an electronic form to the general users, the
business community and administrations without compromising the
interests of the public at large.
Since information security is involved in the protection not just of
property and people, but even of society itself, Member States regard
it as a topic which, like defence, touches on national sovereignty.
Structure of this document
The core of the document is describing issues and requirements for
action. These issues are grouped under the following headings:
General issues. Here some of the basic issues relating to the
security of information systems are described. These place
security into a fast evolving world economy and treats issues
like rights and obligations, human rights, openness and
protection.
Demand related issues. Issues under this section are concerned
with requirements, security objectives, Codes of Practice, and
the needs for digital signature and privacy enhanced
communications.
Supply related issues. The subjects discussed cover possible
answers to the demand for security and include Trusted Third
Parties, evaluation and R&D.
Liability related issues. Under this heading issues relating to
the consequences of security breaches are dealt with. These
include civil law and insurance.
The diagram below depicts this structure.
3. Scope
4. General issues
4.1. Globalisation of the economy and mobility
Issue
The internationalisation, diversification, pluralisation and
popularisation of the use of communications and information systems.
Discussion
The unprecedented increase in mobility and the provision of global
communications has resulted in manufacturing, trade and leisure
activities extending world-wide. Distributed manufacturing, publishing,
and financial operations form the back-bone of the modern economic
system. Travelling and communications for business or pleasure are
common place. This is being supported, and sometimes driven, by a
spectacular development in the field of communications and by the
proliferation of affordable and easy to use information systems. In the
last decade the cost-performance of long-distance transmission has
improved by 5 orders of magnitude. This change is providing the basis
for a rapid diversification of world-wide services customised to
provide access to a full range of information services and utilities
wherever and whenever required. Terrestrial, satellite and mobile
networks provide the physical infrastructure and an unrestrained number
of service applications provide the customised applications.
The nature and scope of provision of Information Security in this new
world of open, multi-service and multi-media communications with a
multitude of alternatives to routing, management and access has
profoundly changed the requirements and options for Information
Security (IS).
Requirements
Revision of the scope and approach to information security to
reflect the new conditions, challenges and requirements brought
about by globalisation
Adaptation of the respective policies and regulations.
4.2. Internal Market ("four freedoms")
Issue
Alignment of the national conditions relating to Information Security
with the conditions of the Internal Market
Discussion
The Internal Market provides for the "four freedoms " within the
Community, ie free movement of goods, capital, services and people. The
legislation of Member States provides for the internal needs for
Information Security, however the requirements in the case of
trans-European communications remains to be addressed. Inconsistent or
incomplete provisions of information security represents a technical
obstacle to the working of the Internal Market.
Requirements
Verification of the existing provisions with respect to their
conformance to the Internal Market Policy of the EC implying
the removal of existing internal barriers and the avoidance of
the formation of new technical barriers due to divergent
application of IS rules, regulations and legislation
Provision of IS to business and the public of solutions freely
applicable throughout the Community and on a preferential basis
at the international level.
4.3. Human Rights and the protection of communications
Issue
To reconcile the human right to privacy and the obligations of law
enforcement to protect public order.
Discussion
Privacy and the protection of private information is considered one of
the fundamental human rights of citizens and is protected to varying
degrees in Member States. The European convention on Human Rights
states "Everyone as a right to respect for his private and family life,
his home and his correspondence". Citizens have the legitimate
expectation that this right is respected and that solutions are made
available to him that ensure the safeguard of this right. This applies
to conversation in the home and to a lesser degree when
telecommunications is being used. However, prevailing national
solutions do not, at present, provide for trans-European services and
communications and this lack can be exploited, inter alia, by organised
crime. With the rapid growth and diversification of communication
services the rights and duties of citizens and law enforcement are
being reviewed and redefined, eg FBI supported legislation and the
proposal of the government to provide US business and citizens with
cryptographic devices including explicit provision for intercept by law
enforcement agencies.
In this context, it should also be noted that the Maastricht treaty
establishes a citizenship of the Union, and that every person holding
the nationality of a Member State shall be a citizen of the Union.
As the safety and security of the citizen provided by the process of
law and order is also related to human rights, reconciling these
objectives represents a delicate political issue.
The diagram below gives an overview of international, Community and
national responsibilities for different application categories.
Requirements
Definition of a common approach defining rights,
responsibilities and duties of citizens and business on the one
hand, and that of the authorities on the other hand.
4.4. Social acceptance of identification methods
Issue
To reconcile the human right to privacy and protection and the use of
identification methods to control human access to systems, buildings,
offices and other physical environments.
Discussion
The use of biometric methods is becoming more technically feasible and
cost-effective as an identification technique for access control. Such
methods rely on a system of machine recognition of a set of personal
characteristics to verify the identity of an authorised user in order
to allow access to some physical environment. Such personal
characteristics include hand-written signatures, fingerprints, voice
prints, machine phrenology, lip prints, response of the skeleton to a
physical stimulus, hand geometry and retinal patterns.
Many other different personal characteristics and recognition
techniques are being investigated by researchers. Some of these effect
the human right for privacy more than others and some are socially
unacceptable.
As an example, the retinal blood-vessel pattern of a human eye (retinal
vasculature) is highly characteristic of the individual. A typical
system might work as follows. The individual is required to look into
an optical device and through a process of optical adjustment fixate on
a crosswire whereby the recognition machine will locate the fovea of
the individual, and scanning with a low intensity infra-red beam detect
the nodes and branches of the retinal pattern falling within the
scanned area. The measured pattern is compared with the stored pattern
of the individual and access is granted or denied depending on the
result of the comparison. This method of machine recognition may or may
not be considered sociably acceptable on the grounds of hygiene, due to
the type of information being stored about the individual (a record of
which may be built up which may reveal other information relating to a
persons health condition) or the general problem of protection of
medically relevant information.
There are systems under trial for the recognition of human profiles eg
the human face. Again these systems may not in general be socially
acceptable and the issue of privacy and human rights may come into
play.
Progress in bio-technology raises new questions as to the definition of
privacy and as to the rights of the individual over information
relating to his person and the assurances required for its use.
Information relating to genetic defects are of obvious sensitivity and
implies corresponding measures for protection. Work may need to be
undertaken to set out a clear definition between things that are
biometric and things that are medical. At the present time there is
low confidence by the general public in the honesty of commerce or
government in the field of bio-technology.
Requirements
Clarification of the ownership and privacy issues surrounding
biometric data
Development of an agreed classification of biometric data and
conditions requiring secure handling of such data
Development of a common approach defining the rights of and
responsibilities of citizens, business users, corporations and
administrations using biometric techniques.
4.5. Human Rights and the safety of systems
Issue
To reconcile the human right to an expectation of the supply of goods
and services that are not life threatening with the vendors commercial
needs to supply goods and services that exploit information systems in
safety critical functions.
Discussion
Security critical systems differ from security critical ones in that if
they fail death or serious injury to people may result. The law treats
the liability of suppliers in this situation differently from that
where information is lost or property damaged. Suppliers are held
strictly liable. Codes of practice for the development of safety
critical systems exist in order to reduce the chance of failure and
design techniques are invoked to analyse all possible hazards.
Nevertheless risks remain.
At a community level, harmonisation of such codes of practice and
design techniques would enable citizens to have greater expectations of
their own safety in any member nation, and it would reduce the costs of
development of codes of practice and design techniques in each nation.
Furthermore, pan-community procurement would be facilitated, as would
the development of safety critical systems by community wide
consortia.
Requirements
Review of current design practices and codes of conduct with
the aim of generating a community wide standard for such
processes
Study the legal environment within which vendors and users of
safety critical systems work, with the objective of harmonising
that environment.
4.6. Management of openness and protection
Issue
Openness and protection are partially contradictory user requirements,
which need to be reconciled depending on the specific circumstances.
The user must be able to define the security controls based on need,
consistent with national, international and regulatory constraints.
These controls need to managed in a way that provides protection in an
open environment.
Discussion
In considering management, one must introduce the concept of a user of
an Information System, and the role that they perform in using that
system. At any time the user of an Information System will be
performing a role, which could be one of: system owner, administrator,
auditor, investigator, data provider, reviewer/collator. It is quite
possible for the requirements of these roles to be logical in conflict
with each other. Openness of access may be in conflict with protection
from general availability. There may also be national, international or
regulatory constraints which impose role requirements beyond those
needed to satisfy the operational use of the Information System. An
Open environment must be provided with controls that are capable of
providing protection without technical limitations.
A single, isolated computer may be effectively protected, as far as
confidentiality is concerned, against threats from outside by physical
separation and human administration. This does not apply in the context
of telematics. Telecommunications and telematics applications are
increasingly being designed for maximum openness and inter-operability
since the utility of ITT&B-based services and applications depends
largely on the possibility of users world-wide being able to freely
inter-operate over communication links. Major international efforts are
underway to establish standards permitting this, in particular through
OSI (Open System Interconnection), (ODP) Open Distributed Processing
and ONP (Open Network Provision).
The acceptance and use of telematics services depends on meeting the
justifiable interests of all parties: in particular to be able to chose
trade-offs between "openness" and "protection".
In recognition of this, increasing attention is being given to the
provision of Information Security Services and Techniques.
The comparison with the way this dilemma is traditionally addressed
leads to some observations which most likely will also apply when
information is handled electronically. These include, for example
The User/Originator requires the freedom to decide over the
degree of openness/protection depending on his appreciation of
the requirement or the applicable rules of conduct for the
given activity.
Profiles exist setting out the needs of both openness and
protection that need to be supported. A single level profile
will not support the requirements of all the users involved,
and there may need to be mechanisms which allow for negotiation
between profiles to determine temporarily agreed common
profiles.
Infrastructure, services, applications and organisation have to
be adapted to provide the openness/protection.
To the role holders, both the visibility of and the
transparency of the degree of openness/protection is crucial.
Accountability for the application of appropriate levels of
openness/protection require objective records, which are
themselves protected.
The management of the openness and the protection of
Information Systems requires the definition of security
domains. These correspond to the security policies which are
in force for the Information Systems in use, as modified by the
constraints of the role holders. It should be remembered that
computers which are not directly under human supervision may
form part of the security domains involved.
Requirements
Development of a generic framework for the management of open and
protected communications in a user/business oriented environment:
1. Reinforcement of the options to define security domains
Terminal users, servers and other computer based resources link
into business processes to provide information domains which
require corresponding security domains. Such facilities must
not only promote the correct degree of openness , but must also
provide filters against unauthorised access. This needs to be
possible not only at one site eg on LAN-Based applications, but
also via MANs and other communication-links. The definition and
management of such security domains needs to be possible either
from within the user group or provided by a trusted third
party. Virtual Private Networks have some of the features, but
these would also need to be available in the context of public
network based applications.
2. User Interface for the management of openness/protection
The normal usage requires the ability to communicate either
with specific correspondents, a select group, an open group or
indiscriminately. The choice being determined by the nature of
the information, its function and the applicable rules. The
user-interface needs to cater for this as well as the
underlying services and applications.
3. Objective records and procedures for the accounting of
open/protected transactions
Processes must be available that provide non-refutable evidence
of the origin of, and delivery of, information to all involved
partners.
4.7. Common concerns of commercial and national security
Issue
Information Security is a common concern of business, administrations,
citizens, law enforcement and defence.
Discussion
Though not to the same degree, commercial and personal information
security shares many aspects with the defence and other classified
governmental affairs. This provides an opportunity for commercial and
personal applications to build on experience and expertise from the
defence and classified government area.
The reverse is also true. As commercial security advances and becomes
available at a large scale, governments and defence organisations are
well advised to take into account this body of experience. In addition
governments themselves are, of course, in the need of adequate
protection of their non-classified information and will wish to make
use of public services of this kind.
Requirements
Concerted effort to address the common requirements of
business, citizens and authorities to adequately protect
commercial and personal information and its communication
definition of common rules and procedures distinguishing the
handling of classified and commercial and personal
information.
4.8. Security and law enforcement on international scale
Issue
Crime is exploiting weak information security to further its ends.
Strong information privacy may also be used to escape investigation by
law enforcement.
Discussion
Crime, and here organised crime and terrorism in particular, are
relying on weak information security to prepare and execute their
operations. As quite powerful means for information security have been
published and are freely available, their increased use in protecting
such operations is a growing problem. Public authorities have in the
past used legal and regulatory powers to restrict the use and
dissemination of related technologies. With the growing availability of
computing power and open networks, this approach is getting less
effective, as organised crime, contrary to the legitimate user, is not
concerned with the use of products that are not authorised. The overall
result is that business is seriously constrained in meeting its
security requirements, particularly in international communications and
in its relations with other organisations. If business requires the
legal and regulatory powers to relinquish total control over these
security related technologies, business has a "duty of care" to manage
and control their use for their commercial and business purposes,
including the policing and auditing of management environments.
Requirements
An effective, internationally agreed, economic, ethical and
usable solution to meet business, administration and personal
needs including mechanisms for authorised interception and
reporting of incidents and crimes adjusted to the conditions of
the Internal Market, and to include the necessary equipment and
software, but also an infrastructure of Trusted Third Parties.
This will discourage "home-made" or other solutions.
4.9. Economics of the security of information systems
Issue
The use of information security impacts on costs, performance and
availability.
Discussion
The cost of security is an integral part of cost of ownership of an
information system, ie namely that without security the users system is
at risk. The cost of protection against breaches of security needs to
be commensurate with the costs (both direct and indirect) that may be
incurred from a breach in security. A security breach may have short
term (and perhaps, localised) implications such as loss of sales and
revenue or fraud or theft. It may also have longer term (and wider)
impacts on business communities through loss of confidence and
consequential loss of business.
The costs of detection, resistance and recovery can be both tangible
and high, and although there are techniques available to quantify risks
there are no generally applicable methods for estimating the potential
costs arising for example from denial of service or loss of integrity.
The provision of security measures may also make it harder to use and
may constrain overall performance. However, where the security risk is
high enough to cause an unacceptable level of compromise, leading to
considerable commercial and financial loss, then security measures must
be given high priority commensurate with the nature and value of the
business in question.
If IS is to expensive, clumsy, not effective in the context of actual
usage or not available in time its use is avoided and high risks are
taken until something drastic happens. The issue for IS is therefore,
not only to be effective but also to address other requirements which
impact the acceptability and application of IS.
In particular, countermeasures may have to be put in place that meet
specific regulatory or legislative requirements, with associated
mandatory assurance needs.
To a business, securing information can be thought of as being like an
insurance policy - the cost of protection must be balanced against the
likely consequences of the perceived threat occurring. This cost is
made up of a number of elements, including:
the life-cycle costs of implementing the countermeasures in
relation to likely and worst case
impact on business performance
liability of management for incidents and relationship with
customer confidence.
Requirements
Development of an approach to a "cost of Security" model for a
business and the private user. This includes, among other
potential costs, the cost of installation, operation,
maintenance, up-grade and insurance premiums as well as direct
financial losses due to breaches of security.
Definition of IS as business and marketing factor.
Codes of practice and other recognised regulatory norms need to
be developed which identify to a level acceptable to both
insurers, regulators and the commercial courts specific duties
and responsibilities of the parties to the use of Information
Systems and their security requirements.
4.10. Social recognition of information crime
Issues
Negligence, ignorance and recklessness are the some of the causes of
many security events and create the opportunity for information
crimes.
Discussion
IS-incidents, like failures to observe safety rules, can in many
instances be attributed to a lack of motivation. This is compounded by
the fact that the loss of immaterial goods, for example information, is
not considered as serious as the loss of material goods. This is due in
part to the fact that electronically stored information can be
reproduced at close to zero costs without the loss of the original.
Stealing information is therefore often considered as a gain for the
thief without a loss to the owner. It is perceived by many to be a game
rather than a real problem because people are unable to relate the
electronic world to the real one. This has the double effect of
enciting negligence by the owner of the information and little concern
for the illegal acquisition of information. Because of the widely
practised back-up of information resources, this applies even to the
intentional or accidental destruction of information.
There is much work in establishing and reinforcing "ethical principles"
as applied to specific actions of information ownership, creation,
dissemination, etc. These need to be related to sector actors, their
control perspective and the assets over which they exercise either
explicit or implicit authority. This needs to be related to codes of
practice and conduct, legislation and regulation to establish the
extent to which protection is dependent upon a formal or informal
control environment or can rely on the enhancement of ethical and
professional standards. At the moment there are no effective
professional standards in IT, anyone can do IT by buying a PC and
taking a bulletin board subscription. Changes to traditional
programming techniques have made it possible for non-IT professionals
to deliver programming and systems analysis methods. In many SMEs such
work would often be done by non-IT professionals.]
Two examples of computer crime illustrate the diversity of situations
which may arise:
Example 1
In a German company (belonging to the "Association for Security") a
programmer - unsatisfied with his salary - caused damage by a specific
computer-programme. This program modified the data of a data bank by
randomly controlled accesses. The programme was intricately hidden
among other programme-parts. Within two years the data-bank became more
and more defective and damaged. The costs of damages and of
reconstructing the data bank were about 500 000 ECU.
Example 2
In an office of the German Government a huge computer-system,
comprising various storage means and terminals was installed. Suddenly
the computer-execution-times and the response times became much longer
than expected. After a difficult investigations it turned out, that a
programmer, who had founded together with his wife a shop for sending
out photo-equipment, has done his complete accounting, mailing, etc.
for his shop on the computer in a hidden area. He had camouflaged or
suppressed the protocolling of this programme. He caused damage of
about 100 000 ECU.
Requirements
Development into basic education of the Information Security
requirements and concepts needed to operate safely in the
Information Age
Clarification of "Info-Ethics" for the professional and
individual user in its relationship to Information Security
Clarification of responsibilities of the sector actors in
general and in their relations within each other, with
particular reference to open and distributed applications.
4.11. Safety critical environments
Issue
Protection of information in safety critical environments.
Discussion
Safety is defined in terms of hazards and risk. A hazard is a set of
conditions (a state) that can lead to an accident, given certain
environmental conditions. The analysis of the safety environment
involves identifying the hazards within a safety critical environment
and then either verifying that hazardous states cannot be reached or
that the risk is acceptable. Risk is defined as a function of the
probability of a hazard occurring, the probability that the hazard will
lead to an accident, and the worst potential loss associated with such
an accident. You can diminish risk by reducing any or all of these
factors, and there are environmental-safety techniques that focus on
each.
There is an increase in the use of information systems within various
areas of application which are considered as part of a safety critical
environment. For example in the area of healthcare (eg medical
databases), air traffic control, transportation of hazardous and
dangerous goods, industrial processes etc. The increased reliance on
electronic information in these various areas of application
specifically related to the control and management of safety, has
resulted in an increased need for the protection of the information
system supplying such information. Therefore the protection of
information systems used in safety critical environments is factor to
be addressed when considering hazards and associated risks in such
environments.
Consideration needs to be given to the common requirement of security
and safety, common methods for analysing the threats, vulnerabilities
and hazards, and the role of security evaluation for safety-critical
systems.
Requirements
Development of a common approach to the handling of security
and safety critical requirements
Development of a common methodology for threat, vulnerability
and hazard analysis for the protection of information systems
used in safety-critical environments
Generation of common methodology for the design, development
and procurement of safety critical systems, covering project
management, development environment, auditing of process,
configuration management and change control
Development of a common approach to security evaluation of
information systems in safety-critical environments.
4.12. Embedded systems
Issue:
Increasing use of computers and information processing is occurring in
a manner that incorporates information/computers into other products to
make those products more usable, flexible, etc. These embedded systems
depend upon the accuracy of the programs they contain and the
information inputs/outputs to preserve the usefulness of the products
in which they are placed. Failure of the processor or corruption of the
programs or information contained may cause failure or destruction of
the device or hazard to the user.
Discussion:
Embedded systems are already being used in automobiles for controlling
ignition and carburetor systems or braking systems, in television sets
and VCRs, in microwave ovens, and so on. As embedded systems
proliferate they create potentials for physical hazard to users beyond
simple loss of the functionality of the devices in which they are
embedded. The potential will also exist that such embedded systems
could constitute a hazard to the well-being of bystanders or property.
For example, one scenario of embedded systems would have them in
household appliances and include the capability to communicate
potential failure information to maintenance providers. The potential
exists that such a device could fail in a mode that would put household
or service providers' telephone systems at risk.
To some extent, liability laws will cover product failures which create
damage to users. However, there may need to be some added means of
ensuring the reliability of embedded systems and the integrity of the
systems as they leave the factory. These means may include:
Requirements
Development of methods of testing that enable standards of
reliability to be ensured, including tests to destruction where
appropriate
Development of an approach for the certification of samples
Definition of requirements for fail-safe system architectures
and implementations
Definition of anti-tampering and protection specifications and
standards.
5. Demand related issues
5.1. Agreement on security requirements for enterprises
Issue
Identification of real world security requirements and objectives for
business and administration.
Discussion
The protection of information systems must be all embracing.
Consideration must be given to requirements from the view point of the
enterprise, taking into account corporate and organisation plans, goals
and strategies of the business or administration. Requirements at this
level can be then translated into "Security Objectives" - why the
security functionality is required as it applies to the operation of
the business or administration environment.
These security objectives need then to be supported by a definition of
the security functionality and related services required necessary to
support the user/business.
The security model has not included legal, accounting or regulatory
requirements which may be imposed upon enterprises rather than forming
any integral part of the Enterprise requirements.
Given the complexity and diversity of user/enterprise requirements for
such protection it is necessary to classify the requirements in some
structured way consistent with real world business and operational
environments.
The protection of information systems needs to consider the enterprise
requirements of the "business". These requirements not only include
functionality that is "owned" by the enterprise but must include
inter-enterprise requirements as well. It must consider the
functionality and assurance of IT building blocks, end user
applications, integration enablers (such as electronic mail), operating
systems, communication services and protocols, and basic hardware and
software platforms.
The balance of functionality (what it does) and assurance (how well it
does it), both generic and application specific, will determine the
extent to which electronic information systems are accepted as an
integral part of both the public and corporate IT infrastructure to
underpin business actions.
The prime requirement for any secure system must be a set of
architectural principles that can be effectively translated into an
overall design framework. Secure systems must be created at different
"grades of assurance" from a set of policies, standards and
procedures.
Specific security requirements relating to open systems will come from
a threat assessment and risk analysis which will form part of the
overall system security policy process.
The cost of security is an integral part of the cost of ownership of an
IT system ie namely that without security the users system is at risk.
The cost of protection against breaches of security needs to be
commensurate with the costs (both direct and indirect) that may be
incurred from a breach in security. A security breach may have short
term (and perhaps, localised) implications such as loss of sales and
revenue or fraud. It may also have longer term (and wider) impacts on
business communities through loss of confidence and consequential loss
of business.
The costs of detection, resistance and recovery can be both tangible
and high, and although there are techniques available to quantify risks
there are no generally applicable methods for estimating the potential
costs arising for example from denial of service or loss of integrity.
The provision of security measures may also make it harder to use and
may constrain overall performance. However, where the security risk is
high enough to cause an unacceptable level of compromise, leading to
considerable commercial and financial loss, then security measures must
be given high priority commensurate with the nature and value of the
business in question. Sectoral requirements vary widely, as do
requirements by size of enterprise within a sector. Sectoral
requirements may be varied by regulation, bilateral international
agreements, general trading agreements or conventions.
Increased demand for Electronic trading from all kinds of businesses,
both public and private sector, will place requirements for security on
the communal service infrastructure that provides the capability for
such business activities. The regulatory and legal environment within
which such service organisations work will become a factor for economic
growth in the community, and security of service provision an element
of such services.
Requirements
Development of a taxonomy and directory of user requirements
and security objectives derived from real world business
applications.
5.2. Agreement on security requirements for individual users
Issue
Identification of security requirements and objectives for individual
users.
Discussion
The individual user, in their role as a private citizen or as a member
of a liberal profession (eg a lawyer or medical doctor), has a natural
interest, and sometimes a legal requirement, to protect some of their
information. Unlike in the case of the enterprise, the individual user
will not normally go through a systematic process of establishing
goals, definition of security objectives, etc, unless they are subject
to professional standards of conduct.
The individual normally has at his disposal a PC (or small network of
PCs) and some communication links, eg telephone, fax, e-mail. Physical
security is likely to be weak.
Most liberal profession work under some codes of practice or conduct.
These codes are of a general nature and do not normally specify
particular security arrangements.
The common and specific requirements of individual users, with regard
to the protection of their computer installation (physical and
electronic), the protection of their data (against accidental and
deliberate loss) and the protection of their communications (eg signed
communications, privacy enhanced communications) must be established.
Requirements
Development of user profiles identifying standard types of
users together with typical requirements.
5.3. Security objectives for enterprises
Issue
Definition of Security Objectives for enterprises.
Discussion
Security objectives are related to confidentiality, integrity,
availability, legality and auditability. Controls are related to
segregation of duties and methods for obtaining independent audit of
the achieved results of an Information System. Controls may also
relate to the reasonableness or plausibility of information or an
activity.
A security objective is a description of what security the enterprise
is trying to achieve eg why this security control/function is wanted.
It is a mission statement of the user/enterprise which describes why an
aspect of security is needed. It is a user/business target or purpose
to which security is being addressed. For example, consider the subject
of data integrity and the objective "Prevent unauthorised modification
to data". The security objective has the objective "Appropriate
mechanisms should exist to preserve the integrity of data". For example
this may be related to data held on a medical database, on a company
financial database, in airline reservation system or a geography
information system.
Security objectives are thus concerned with the preservation of
information with regard to its utility, availability, authenticity,
integrity and confidentiality within the enterprise and between
enterprises or concerned with some user environment. These are
dependent upon more detailed definitions of business control being
made. The structure and organisation of the specialist accounting
functions in a business are examples of business controls.
The organisation of security within enterprises in terms of business
control structures or in the case of some user environment (eg legal,
accounting, audit etc) and functions (eg IT, human resources,
insurance) needs to be integrated with a set of security policies,
standards (both public and in-house), and made compliant with laws and
regulations (eg computer crime manual), guidelines and codes of
practice etc.
The process of producing a security policy requires the use of a set of
security methodologies, tools and evaluation criteria. For example risk
analysis methods, baseline controls, and evaluation criteria (eg ITSEC,
Federal Criteria etc.).
Security objectives thus encompasses a set of objectives (and possibly
sub-objectives) and a set of related issues that reflect specific
points of concern, problems, questions relative to business
requirements, controls and applications.
The diagram below shows the relationship between Security objectives,
Security organisation, and Security methodologies. Laws apply to the
user environment directly. Their presence generates some of the
security objectives. Standards may be both mandatory and
discretionary, and may incorporate methodologies. The final box covers
security methods and techniques.
5.4. Sectoral specifics
Issue
Beyond the normal requirements common to different business sectors and
user environments there may also be additional requirements and
priorities specific to the operational nature and commercial mission of
a particular business. These specific requirements can be normally
expressed in terms of codes of practice and baseline controls.
Discussion
Legal and regulatory provisions can be supported by Codes of Practice
to achieve due care and diligence. There are those of general
application and those that are industry specific. A general Code of
Practice may achieved by the establishment of a security management
handbook, maybe based upon the approach taken for achieving a Quality
code of practice (ISO9000). The application of IS is a prerequisite for
the successful conduct of business for particular sectors, especially
when these sectors a highly interactive. The most prominent among them
are:
Finance
Trade
Medical
Telecommunications
Administrations.
Requirements
Development of a set of codes of practice and baseline controls
addressing specific business sector requirements.
5.5. Security methodologies
Issue
Selection of security requirements analysis methodologies (eg risk
analysis methods, codes of practice etc.) and related safety hazard
analysis methods relevant and applicable to the user/enterprise
business policies and controls.
Discussion
Any security policy formulation must derive its requirements statement
from an assessment of the potential threats against the business and
the supporting service infrastructure of the IT and telecommunication
processes. This will allow an eventual implementation with clearly
understood trade-offs, administrative and technical measures against
human malefactors, and a balance between security cost and level of
operational fitness; these are components of a Risk Management
strategy. The risk management strategy on a European level should be
based on a rigorous and consistent approach to the analysis of the
threats to and vulnerabilities of the system and its components, and
where appropriate safety hazards. This approach should be based as far
as possible on existing, and, possibly, standardised, risk/hazard
analysis modelling techniques and products. The issues include:
adequacy of present risk assessment techniques
awareness about current trends, and modelling
awareness of the responsible security officers about security
security breach incidents
safety hazards as they impact on or are related to the security
of a system and vice versa.
Requirements
Development of evaluation criteria and guidelines applicable to
the selection of security requirements analysis methodologies
(eg risk analysis and management methods, products etc)
Harmonisation and standardisation of a European and
international approach
Integration of security and safety methodologies where
appropriate to provide a coherent framework for the analysis of
assured systems.
5.6. Security domains
Issue
Openness and protection.
Discussion
In practice, the level of IS is dynamically adapted to a given
situation. This leads to the concept of Dynamic IS Management and the
need to be able to define domains, in which IS is applied
homogeneously.
Security Domain Concept
Domains are user groupings sharing some of their functions and support.
For some activities they operate as virtually closed user groups, but
have the possibility to interwork with other domains as long as certain
minimum requirements ensure no loss of trust or a transparent
downgrading.
The notion of a security domain is therefore important for two reasons.
Namely,
It can be used to describe how security is managed and administered, and
It can be used as a building block in modelling security
relevant activities that involve elements under distinct
security authorities.
Examples of domain activities are:
accesses to elements (eg a database for network management)
a communications link
operations relating to a specific management function
non-repudiation operations involving a notary.
Security Policy
The organisation of security within enterprises in terms of business
control structures or in the case of some user environment (eg legal,
accounting, audit etc) and functions (eg IT, human resources,
insurance) needs to be supported by a set of security policies,
standards (both public and in-house), laws and regulations (eg computer
crime manual), guidelines and codes of practice etc.
The security policy defines what is meant by security within the
domain, the rules by which security may be obtained to the satisfaction
of the security authority, and the activities to which it applies. The
security policy may also define which rules apply in relations with
other security domains in general, and in relations with particular
other security domains.
Requirements
The management of inter-domain openness and protection may be different
depending on similarities in purpose, and agreements will be needed to
achieve appropriate levels of assurance. Mechanisms by which TTPs
achieve efficient, coherent management of policies, procedures and
controls between domains need development:
generation of guidelines for domain creation, management and
control
development of a common framework for domain interworking
agreement on management, TTPs, accreditation, auditing and
relations with law enforcement agencies.
5.7. Information labelling
Issue
Transfer of information between domains requires agreement on the
syntax and semantics of information labels, and of the procedures and
mechanisms for handling labelled information.
Discussion
The information label is a short hand way of expressing the protective
measures that should be applied to the labelled information.
Information labelling is an essential part of ensuring that information
objects receive the appropriate level of security protection both
within and between security domains.
Trust between organisations depends on the assurance that information
will be handled in a way consistent with its security requirement in
terms of confidentiality, integrity, availability and non-repudiation.
The need for comprehensive labels has become acute because of the
increasing degree to which organisations interoperate electronically.
This has led to increased reliance on technical measures to achieve
adequate security. It is quite feasible for trusted systems to switch
on or off technical measures automatically providing that the label
adequately expresses the security requirement associated with a piece
of information. Labels could then be used to make decisions on
information routing, transmission enveloping, requirements for
confirmation and so on.
Organisations have to agree on the range of options that do meet any
particular security requirement. Part of the solution to the handling
of labelled information lies in the development of Codes of Practice
specifying procedures and mechanisms. There is also a need for
accreditation and audit of communicating partners. The introduction of
independent third parties avoids the pairwise interactions that would
otherwise be necessary to establish trust.
Requirements
Code of Practice for information labelling.
5.8. Access control and authenticity issues
5.8.1. Access control
Issue
Access control procedures to many systems are not standardised or well
managed.
Discussion
Computer systems and services impose control procedures on persons (or
other systems) attempting to access them directly or over local or
wide-area networks. These access control procedures apply to
"connections"; that is, they determine whether or not a connection,
association or session is allowed to be established. These control
procedures have been often primitive and relatively insecure, as the
occurrence of "hacking" demonstrates. For example, the only protection
afforded may be by a password, transmitted over the network "in clear"
so that any wiretapper with physical or electro-magnetic access can
read it.
The requirement for secure access control is not confined to access to
host computers by persons at terminals. Reciprocal (mutual) access
control is often needed between two (or sometimes more) systems. Access
control can apply across general telecommunication networks,
determining (for example) who may call whom by telephone; or who may
receive which programme on a cable TV network. In addition to applying
to end-to-end (trans-network) communications, access control also
applies to users and (even more importantly) operators accessing the
network and to access by human users to terminal devices.
Although the importance of access control is widely recognised, the
practical application of security techniques to solving the problem is
more limited. This is for a variety of reasons including technical
complexity, lack of agreed standards, lack of user acceptability and
lack of supporting infrastructure (such as TTPs).
Secure access control relies on a mixture of:
identification mechanisms (authentic naming) identifying the
remote person or system
authorisation mechanisms, determining the authority of the
remote person or system to carry out different types of actions
random (unpredictable) components, affording protection against
the re-use of once-valid access control messages under invalid
circumstances (replay)
cryptographic techniques to protect the above from
modification, copying, etc.
Without some analysis of access control scenarios, followed by some
outline standardisation work, users and systems are going to find
themselves having to implement and use (depending on their current
application) a range of incompatible techniques, which in turn rely on
only partially interoperable infrastructures (such as naming and
identification authorities, certification authorities, key management
systems, directory services, etc.).
Requirements
There is a need for widely accepted solutions to the most common access
control scenarios. There is a need to:
identify and group access control scenarios, to determine
levels of commonality
identify techniques, products, specifications and standards
addressing access control, and associate them with the
identified scenarios
identify parameters common to most or all of the above
techniques, products, specifications and standards and
investigate the feasibility of establishing common formats for
them
identify the key features for coherence in the supporting
infrastructure
define a limited number of basic access control mechanisms for
pilot implementation.
5.8.2. The individual right to signature
Issue
Individuals have the right to sign any information.
Discussion
Like with hand-written signatures, anybody is entitled to use a digital
signature. Therefore, the distribution of keys for the purpose of
signature must be non-discriminatory and non-restrictive. Separate from
the signature is the question of authority, ie if a certain person is
entitled to sign a certain element of information, document or
transaction.
Signature verification is therefore a two step process: formal
verification of the signature and verification of the authority of the
sender. This process is depicted below.
It is assumed in this simple model, that the sender adds his
certificate (name plus his public key) to the signed document. The
formal verification then establishes that a person with a certain name
has correctly applied his signature and that the document has not been
modified in transfer. Verification of authority checks that the name
has the legal authority to sign a particular document.
Note that as a consequence, the authority given to a person should not
be included in the attributes of the certificate, otherwise any change
in authority would invalidate the certificate.
The situation maybe further complicated by the fact that several
signatures maybe required for certain documents, eg husband and wife
plus notary, two company directors.
Requirements
Clarification of the right to signature and the attached authority.
5.8.3. Consistency of legal principles
Issue
The legal functions have to be clearly identified for the authority of
digital signatures, before a code-of-practice can be developed and
introduced.
Discussion
In legal practice security and functional requirements for hand-written
signatures differ widely. In some cases a hand-written signature is
only to indicate that the signer has concluded his train of thought or
his expression of will; under the given circumstances its authenticity
may be obvious and need not be provable. In other cases, for evidence,
the signature must be provably authentic. In yet other cases
authenticity requirements may demand attestation or even ask for more
than one person's signature or for public notification.
The spectrum of legal requirements can be matched by the spectrum of
technical realisations which may differ with respect to security
provisions just as widely as legal requirements. Yet the signing
process must be transparent to the signer. For this reason it must
follow standardised rules; specific man-machine interfaces must be
familiar to the signer; i.e. they must follow a standardised layout
principle.
For ease of transition (in judicial thinking) from hand-written to
digital signatures traditional functional requirements for hand-written
signatures should be met by the technical implementation of digital
signatures as closely as possible.
A particular problem is the validity period of a digital signature. One
must distinguish the validity period of the signature itself and the
validity period of the authorisation.
The validity period of the digital signature itself may have to be
limited for technical reasons. These reasons include:
1. Insufficient key length. One may discover that some years from
now, new progress in mathematics and technology makes it plausible that
keys of the originally chosen limited length can be broken. (For
instance, several European banks have introduced remote banking with
RSA keys of length 512 bits. One cannot guarantee that this will be
safe in 10 years, or even less, from now.)
2. Poor key generation. One cannot be sure that programs at the
desired quality level will be used by all key management centres. Hence
users of those key management centres may find that their keys are
breakable, and they have to cancel their certificates.
3. Weak protection of workstation. The secret key of a user may be
compromised accidentally or through negligence. It may also be possible
to tap the password of a user through a Trojan horse on his PC and
subsequently get access to the secret key. (Fraudulent users may even
claim this happened, and give away their key on purpose, in order to
dispute that a certain signature did originate from them.)
Taking the necessary precautions, and taking a differentiated approach
to the validity period of signatures, then most digital signatures
would fall inside the scope of applicability of hand written signatures
The authority attached to a signature normally changes much faster. The
authority given to a person should therefore not be included in the
attributes of the certificate, otherwise any change in authority would
invalidate the certificate.
However, in all the work that has been carried out so far, there is no
solution offered to the following problem: If messages have been signed
with a key and needs to be kept for a number of years, and that key is
denounced by the user as being compromised, how can the value of the
already calculated signature be left intact? One possibility might be
to use a TTP for time stamping, but further study into this problem
seems in place. An example may illustrate this point.
If a user A signs a message in 1993, which has legal consequences to
user B until 2003, and A then cancels his certificate in year 1995,
claiming that his key has been compromised, he will probably claim that
the signed document from 1993 was falsified in 1995 by B, who could
have bought a copy of A's secret key. However, if B upon receipt in
1993 had gone to a TTP and had the signature of A time stamped and
signed by the TTP, or even registered, he can prove that A in fact did
produce the said signature back in 1993.
For some sectors and/or applications the granularity of the time
stamping will be critical. It is conceivable that trusted time down to
one second accuracy will be needed.
Requirements
The legal functions of signatures need to be agreed
EC-wide/internationally. Once this is achieved, it is possible
to determine to what extent a code-of- practice will suffice.
One issue to be addressed is the intended use of the digital
signature, and the legal responsibility and liability of the
signing entity with regard to the signed information.
Clarification of the conditions of acceptance of the authority
of an digital signature, eg for legally binding purposes, ie as
substitute for hand-written original signatures.
Recommendation for the implementation for a public digital
signature scheme for use by business, administrations and the
general public.
Legislative rules and, where appropriate, liabilities, for
keys, certificates and TTPs need to be developed to cover
revocation of any or all the entities involved in the "chain of
proof" needed in the signature technique.
5.8.4. Signature schemes
Issue
Introduction of an international digital signature and identification
schemes.
Discussion
Open communication requires standardised publicly available algorithms.
It is possible, however, to develop a scheme for digital signatures, to
get laws, regulations or directives in place, to develop supporting
profile standards and to develop fully implementable models for TTPs,
without specifying in detail the underlying algorithms.
The characteristics required of a digital signature mechanism include
that it
is practically unbreakable
has a sufficiently large key space, performance (time and space
requirements for signing and verification), reasonable size of
key, etc.
includes key generation.
In order to allow for world-wide, unrestricted use of a digital
signature scheme, the mechanism should not be usable for the
concealment of message content.
The minimum requirement should include
an estimate of error probability if probabilistic methods are used
an estimate of probability of occurrence of weak keys (perhaps
completely improbable)
a guarantee of sufficiently high degree of uniform
distribution.
In so-called identification schemes (for access control), which do
require public key techniques rather than conventional schemes,
practical zero-knowledge protocols must be developed and standardised
that fit a corresponding digital signature standard.
Requirements
Development of specifications and standards along the lines
described above
Development of specifications and standards for application
oriented integration
Development of a general application programming interface
(API) for integration of security services which could be
easily integrated into most application (This could as well
include codes which explain the intention of the applied
signature.)
Development of transaction-oriented multiple signature schemes
Solution to the specification, standardisation and licensing
problem of cryptographic algorithms.
5.8.5. Key usage
Issue
Digital signatures imply the specification of a full set of procedures
dealing with the three phases of key management - user enrolment, key
and certification distribution, and operational maintenance
(revocation, blacklist, destruction), which must be agreed and
accepted.
Discussion
In order to apply security to any message or process, four logical
layers are relevant:
1. Legal intentions and implications
2. The definition and identification of the relevant security
service to be applied.
3. The underlying mechanisms.
4. The algorithm and protocols.
Without standardising or agreeing on the 4th layer, it will not be
possible to communicate.
In order to adopt electronic versions of negotiable and
quasi-negotiable documents, such as bills of lading, new security
services have been identified to meet business requirements, in
particular claim of ownership for exchange of values. This needs to go
through a standardisation process.
But also for more " classical" services, the current standards do not
reflect the granularity of eg non-repudiation needed by business
requirements. ISO 7489-2 only addresses non-repudiation of origin and
delivery (sometimes called receipt). However, one needs at least
origin, submission, delivery and receipt, where submission and delivery
would correspond to the services required when a registered letter is
mailed.
For hand-written signatures , a person typically knows what he is
signing, which is important for legal implications. This is not so easy
to achieve with electronic data. In particular it must be clarified to
what extent the system must indicate to the user what he is actually
signing.
Requirements
Develop standards and profiles as described above, especially
the development of profile - or functional - standards to
support CCITT X.509.
5.8.6. Universal acceptance
Issue
For digital signatures to become a full alternative to hand-written
signature universal acceptance is required.
Discussion
All functions of the hand-written signature should also apply to
digital signatures.
Where legal functions are carried out by digital signature, consensus
with the legal profession is essential.
Requirements
Development, together with the legal profession, of
recommendations for the practical use of digital signatures as
a full equivalent to hand-written signatures in legal
transactions
Demonstration, through pilot projects, that digital signatures
can be used as equivalent to hand-written signatures
Inclusion in the curriculum of relevant educational institutes
(eg engineering, law and business schools) the use of digital
signature.
5.8.7. Security of electronically stored information
Issue
As legally and commercially significant information is transferred and
stored electronically, the implications of this on long-term (10's of
years) secure storage and retrieval must be properly understood.
Discussion
Industry is moving increasingly towards electronic trading in all its
aspects. Governments are encouraging the use of electronic
communication of commercially and legally significant information. As a
result, there is a need both to establish irrefutably the origin of,
and the delivery of, such information and, particularly, that the
information has been signed and stored in an unforgeable way. This
unforgeable electronic signature must be trusted for at least 10's of
years for some information, and the associated information must be
retained in a secure manner that is capable of human interpretation at
any time during that period. Any system proposed for electronic
signature storage must be as secure and robust as that currently used
for hand-written signatures.
Any such system must allow for not just technical evolution, but also
social change and other factors (e.g. the continued existence of
trusted public key directory centres, or the way businesses merge,
change or collapse).It is not currently clear that the way this can be
achieved is yet accepted legally, or the full implications are even
properly understood.
Requirements
Build on the digital signature experience to consider the
long-term implications of the unforgeable secure storage and
retrieval of legally and commercially significant information,
with access by any authorised person or organisation
internationally.
5.9. Privacy enhancement issues
5.9.1. Perception of requirements for privacy enhancement
Issue
Confidentiality is, at times, essential for the good functioning of
administrations, business and human relations.
Discussion
Business user of telecommunications and information systems cannot
obtain full business benefit without confidentiality services being
available. There is a clear need for confidentiality services in the
exchange of information in the business as well as in the private use.
Today the exchange of sensitive information requiring confidentiality
is often done in non-electronic form because for electronic
transmission "confidentiality" is either not available or its use not
permitted. With the increasing demand for fast exchange of all kind of
data, demand for "confidentiality" will become pressing.
Most business and private users of communication systems are aware of
the conflict between their confidentiality requirements and national
security issues which require the possibility to intercept the
communication in a way regulated by national laws. They accept the
national authorities ability for this interception provided there are
adequate safeguards to prevent unauthorised interception even by
government employees.
Expectations of confidentiality of electronic message services can
currently not be met in the absence of international standards or
internationally accepted methods. Uptake of these services by
commercial users to support business processes will therefore have a
natural limit, ie to those messages that someone usually writes on a
postcard. Examples of commercially sensitive information includes
pricing and bidding strategies, mergers and take-overs, or from a
privacy point of view (transmission of personnel and medical data).
User needs for confidentiality
In analogy with confidentiality offered by existing physical mail and
archiving services, ie envelopes, registration, courier services, etc.,
there is a need for confidentiality in the situation of electronic
interchange and storage of data. Even more so because electronic data
can much more easily be copied or disclosed in its usual form, eg only
channel coding and formatting as the "envelope", than its physical
counterpart.
At present certain unclassified but sensitive information on physical
media such as paper, microfilm, or photograph, of business enterprises
or medical centres are protected against unauthorised disclosure by
physical and procedural methods.
Today the trend is towards more electronic communication and storage of
data and hence there is a need for appropriate confidentiality services
in an agreed or standardised form to be readily available for all users
of electronic information systems.
Service provision
The extent to which confidentiality services are provided for a
specific business or citizen could depend on a system of licenses or
certificates.
A particular business might qualify for a confidentiality license
depending on its internal procedures and activities. A general
(minimum) level of confidentiality could be provided to all users.
It should be possible for certain user groups or businesses to use
other confidential services (egproprietary) than the standard ones
provided.
There are strong indications of emerging "bottom up" solutions for
these needs (eg the Pretty Good Privacy offering on Internet, beginning
1993).
Other initiatives (eg the announcement of the "Clipper Chip", 16April
1993) illustrate the growing awareness of governments of the needs of
their citizens for confidentiality services.
Awareness
In general users of electronic data processing systems are not aware of
the threats involved in using those systems. Only after they have
noticed (the consequences of) an unwanted or unauthorised disclosure of
their information will they start to think of the inherent
vulnerability of the system they are using. In view of this one should
try to create more security awareness. Users, service providers,
operators and authorities should achieve a certain minimum level of
awareness of the issues involved in using confidentiality services
before embarking on their use.
Granularity (meeting differentiated needs)
Confidentiality services at different granularity and for different
types of telecommunication services are needed. Based on his risk
analysis the user can then decide which level of confidentiality he
needs and then use the services which provides this required level.
Some users may want a range of services of different assurance levels
(analogy of courier services, registered mail, ordinary mail). Some
users may want visibility of assurances to different extents.
Impact of loss of information and Impact of theft of information
By its nature, actual risks and impacts of disclosure are hard to
quantify. But the absence of a baseline of protection of
confidentiality will undoubtedly have a negative impact on commercial
(and other) usage of international electronic communications in a wide
range of business processes.
Actors and roles
Individuals may have a number of roles in more than one organisation -
these need defining or clarifying. Their "role" as a private citizen is
an important case. The organisations that act as custodians of roles
need to be classified also. These are essential ingredients for domain
management.
Mutual confidence and TTPs
Users and mechanisms to ensure that they get assurance of compliance to
agreed "rules of procedure" from their trading partners, or other
private citizens, with whom they are interacting using confidentiality
services. TTPs are one mechanism for achieving this, but other lower
assurance, lower cost solutions may also need to be considered.
Requirements
Proposal for a frameworks and architectures which are accepted
as well by the business users as by the national security
agencies and the service providers
Standards for services and service provision. Ensure that the
confidentiality services are compatible with existing
communication standards and practices where possible
Verification of practicability of proposed solutions through
suitable pilot projects
Model contracts for confidentiality services
Awareness of sector actors of the potential losses due to the
absence of confidentiality services.
5.9.2. The case for the provision of public confidentiality services
Issue
The provision of public confidentiality services have to reconcile the
needs of the business sector and general public with the obligation of
public authorities to provide adequate protection while at the same
time maintaining its capability to fight organised crime, maintain
public order and national security.
A well developed public confidentiality service would provide for the
obligations in a transparent manner.
Discussion
Business operates increasingly in an international and open
environment. The communications take place via private and public
networks. Modern network management techniques use alternative routing
depending on traffic conditions. This implies that the physical
communication is under the control of a variety of intermediaries
working under different regulatory and legal conditions for data
protection and privacy, and therefore one must consider the network as
inherently risky. This means that end-to-end protection is required.
This applies also to the general public using international public
telephone networks.
It is a fact that business and the general public have been addressing
their needs with public domain solutions (published algorithms and
freely available software). However, the approach is awkward and its
utility therefore limited, since, for example, there is no public
directory and he has to manage the keys himself. A public solutions
open to all users requiring electronic signature and confidentiality
would remove the need for the use of ad hoc solutions. It would also
provide for a transparent solution to the need for legally authorised
intercepts.
If a public confidentiality scheme is offered, organised crime could
also subscribe to such a scheme, but as it would include provisions for
legal intercept, it would hardly be attractive. One would expect that
such users would continue to find their own solutions as will the
classified domain.
An open and public service offering a credible level of confidentiality
would therefore provide for the honest user, while not worsening the
situation with respect to public order or national security.
The combination of international communication and national security
regulations require a common framework for confidentiality services,
which on the one hand interoperate within all Community Member States
as well as with countries outside the Community which themselves may
establish their confidentiality services. This requires either an
overlay approach or gateways which link the different national or
regional services. These gateways are only required where multinational
agreements for co-operation on national security concerns is not yet
established. In this case these gateways may provide at least an
interim solution.
In order to fulfil its function and eliminate the need for "home-made"
solutions, the public confidentiality service must be open to
world-wide use and provide its service in a non-discriminatory way.
Confidentiality services should ensure that
Users are protected and obtain assurance against non authorised
interception and disclosure.
The confidentiality service is of high (technical, procedural)
quality and evaluated as such by all Member States.
Authorised disclosure of the protected user information (undo
the confidentiality service) is under certain well-defined
circumstances possible, eg by secret-sharing.
With this approach, confidentiality mechanisms details (description) do
not need to be published or disclosed to the public in general.
While the use must be largely unrestricted, the systems and sub-systems
or equipment for the independent implementation of aforementioned
confidentiality services can be made subject of export controls, eg
export is possible if:
The users comply with the rules of the exporting nation
(end-user declaration) with respect to the disclosure
mechanism.
Multinational business users form EC countries with "central"
organisations.
Other countries on a bilateral agreement liaise with EC if they
comply with the rules.
Export restrictions are, inter alia, based on the concern that
cryptography may be used by hostile governments or other organisations
for the concealment of subversive information. The same concern does
not apply to the use of cryptography for integrity and authenticity
enhancing service.
There are technical solutions to provide only integrity, integrity plus
signature, and integrity, signature and confidentiality.
Confidentiality enhancement is de facto only meaningful in
communications with also the two other functions being provided.
The problem remains that organised crime and hostile governments are
not restrained from adopting public domain solutions or from developing
"home-made" mechanisms. Furthermore they are able to exploit legitimate
users of systems and solutions to their own ends by use of
"traditional" criminal mechanisms of bribery, blackmail or threats to
personal safety. Legislation could discourage non-authorised use, but
cannot be expected to prevent it, particularly in the case of organised
crime. Restrictive legislation impacts the "law-abiding user" much
stronger than others.
Choice versus interoperability
The users and service providers may feel the need to choose solutions
to achieve the assurance levels they require. But interoperability will
dictate a limited set of possible choices being available, and costs of
service provision will also focus debate onto efficient solutions.
Advice and instruction / prohibition
This may vary from country to country, however certain minimum-rules
will need to be adhered to between parties offering interworking public
schemes which includes beyond simply usage also systems and sub-systems
or equipment for the independent implementation of such confidentiality
services
Requirements
Choice of architecture that minimises service vulnerability
(The confidentiality that users enjoy will depend upon the
robustness of the service that is offered. This in turn will
depend upon the robustness of the architectures available to
perceived threats: key theft, masquerade, deliberate denial of
service, inadequate disaster recovery are examples of threats
the vulnerability to which may be different for alternate
architectures.)
framework for the provision of trans-domain confidentiality
services (Mechanisms are needed that provide for a defined way
to pass from one domain to another. This will require
collective or multilateral agreements for interoperation.)
Guidelines for pan-European confidentiality service providers
Model contract for relationship between service providers
across national boundaries
Assurance criteria for service providers and operators
Accreditation process for mutual recognition.
5.9.3. Interworking of autonomous confidentially services
Issue
Till such time that a universal service is being offered, interworking
between autonomous confidentiality services is likely to be the normal
situation because of the differentiated requirements. This implies the
need for generally accepted rules for the relationship between these
services.
Discussion
For quite a time the conflict between national security issues and the
business need for international communications has blocked significant
progress in the area of confidentiality services in telecommunications.
With the recent US initiatives, pressure from European companies will
grow to have access to equivalent services. But within Europe we have
the situation that neither the legal situation in the different EC
countries nor their national security policies are harmonised enough to
have a single confidentiality service scheme with a single algorithm
established within the foreseeable future. Therefore it is necessary to
have a framework, which enables user-transparent interoperability
between different national or regional schemes and which do not block
the way for a single scheme which may be established in the far future.
Interoperability is also required with non-European schemes like the
US. scheme. To provide this interoperability the way information is
passed from one national security domain to another has to be specified
and the national schemes have to be compatible with this specified way.
The establishment of such a framework for interoperability is therefore
a subject which needs international harmonisation. Aspects related to
this are requirements for the cryptographic algorithms and for key
management issues.
Requirements
Definition of minimum requirements to ensure interoperability,
including standards, specifications, rules of procedure and
operating practices
Demonstration of trans-European confidentiality services using
a suitable application , eg the realisation of administrative
telematics applications.
5.10. Motivation to acquire evaluated solutions
Issue
The advantage of the use of evaluated/certified solutions is not
generally accepted for commercial applications.
Discussion
Formal security evaluations have been carried out at a national level
by a comprehensive, costly and time consuming process. The investment
in the evaluation process by the vendor has resulted in higher prices
for the resulting secure IT product. The duration of the evaluation
process, has resulted in many secure products falling behind the
technical state of the art.
Up to now, this has detracted from their broader relevance in the
commercial market. Users have often preferred lower cost, more
functionality rich products unless forced to purchase evaluated and
certified products through some public procurement policy.
Vendors, historically, had products evaluated separately by each
national market and their supporting criteria. The resulting limited
revenue opportunity did not justify the high cost of getting products
evaluated.
It is necessary to change this view by convincing users of the
advantages of purchasing evaluated/certified solutions. Rapid adoption
of Common evaluation and certification criteria is essential to reduce
cost and speed-up mutual recognition of the resulting certificates.
Requirements
Rapid adoption of common criteria
Rapid agreement on common evaluation method
Portability of test results and mutual recognition
Work sharing between vendors, test centres and users to speed
up the evaluation process
Establishment of the "value-added" for the use by
administrations and business, eg in terms of liability
protection
Consistent use in public procurement.
5.11. Consistency of procurement practices
Issue
National procurement guidelines for the purchase of
evaluated/non-evaluated products are not consistent throughout the EC,
nor is there a general agreement on when there is an obligation to use
evaluated products, and when it is recommended but discretional.
Discussion
Some security evaluated IT and communications products are purchased as
a result of a risk analysis where it is determined that the evaluated
communications product better suits the organisation's security needs
than a non-evaluated product.
However, a survey conducted of over 200 organisations indicated that,
to a large extent, evaluated products are purchased today by
organisations in the EC because of the expectation they will be
required by law to use certified products. This type of legislated
market is occurring especially in those Member States that were
involved in the development of ITSEC.
Unless common procurement policies are established in the EC, the IT
market will become a patchwork of evaluated and unevaluated products.
This may create new barriers to the efficient flow of information.
Requirements
Identification of categories of application for evaluated
solutions
Alignment of national procurement policies concerning evaluated
products
Investigation of to assist those member states not involved in
the early stages of ITSEC to develop and test procurement
policies that are based on evaluated communications products.
5.12. Information Valuation
Issue:
For insurance purposes and for tort law cases a common means of
valuation of information and information processing resources is
needed.
Discussion:
In the case of information processing resources, the valuation may be
as straightforward as estimating the replacement value of computers or
the value of computer time in the case of denial of service (eg:
through virus attacks or other penetration). However, in the case of
destruction or theft of information, the problem is less
straightforward.
Obviously, it is not possible to set a standard for the value of
information, so what appears to be a potential solution is to establish
standards for valuation.
Requirements
Definition of the classes of information used and the types of
damage that could be caused to the information owners
Definition of the rights and duties of information ownership
Development of guidance for owners of information as to the
actions that they would have been expected to take to protect
their assets and avoid negligence charges
Development of the methods and procedures that should be used
to establish information value.
6. Supply related issues
6.1. Supply related Issues - Trusted Third Parties
6.1.1. Role of Trusted Third Parties
Issue
The public and generalised use of digital signature and of
confidentiality services and the conformance with the needs of law
enforcement implies the availability of Trusted Third Party (TTP)
services to provide essential functions.
Discussion
TTPs will have to inter-communicate internationally and thus form a
network of Trusted Third Parties , based on an international framework
for their operation.
Trusted Third Party services can be considered as value-added
communication services available to users wishing to enhance the trust
of the services he uses. Therefore TTPs have to be able to offer value
added with regard to availability, integrity, confidentiality and
assurance. Although TTPs may be set up on a national basis within
national law, they must be trusted internationally.
There are different types of functions which may all or in part be
fulfilled by TTPs. The exact nature and extend to which these functions
are provided by TTPs will be dictated by practical considerations and
may vary considerably.
In general the TTPs operate on the basis of information provided by the
user. Certification of information is carried out on the basis of
evidence of correctness provided by the user or generated by the TTP
itself, eg the keys.
The major services a TTP may offer include some or all of the following:
Name assignment, ie the function of assigning individuals' and
enterprises' unique names and addresses. Individuals may
possess several different distinguished names, according to
their role, eg as private citizen and as employee of a
corporation.
Certification, ie the function to validate that a name and
address has certain credentials, eg a public key for
signature.
Key Management for signature, ie the generation, distribution,
establishment, and administration of public and private keys.
Key Management for confidentiality, ie the function to
generate, distribute and administer keys used for confidential
communications.
Management Services for Names and Credentials, ie the function
to establish, administer and make available registers with the
names of individuals and their certified credentials.
Legal services, ie functions usually performed by the legal
profession, mostly concerned with non-repudiation.
Guaranteed Date and Time Stamping, ie the function to provide
exact date and time on request, to support non-repudiation.
Management of Negotiable Document Transactions, ie unforgeable
non-personalised tokens (eg electronic Bills of Lading,
electronic shares).
Storage of Electronic Information for clients with appropriate
guarantees of confidentiality and integrity.
Common to Trusted Third Party service providers is that they have to be
accredited and audited, and that they have to operate under the law of
the country using common guidelines. The figure below provides an
analysis of the different functions involved in the establishment and
operation of TTPs.
The diagram identifies four functions in this process. The functions are:
the provision of the required good practices, rules and
regulations for the accreditation and operation of TTPs
the accreditation, re-accreditation and audit of TTPs
the TTP functions themselves
the use of communications and of the TTP.
This diagram does not imply any particular allocation of responsibility
for the functions indicated.
The information flow contains the following major elements:
National Laws. The operation of TTPs will take place within the
laws of the country in which they are located. It is
conceivable that some legislation has to be updated to allow
TTPs to operate in an international environment.
Good practices, rules and regulations for the accreditation,
operation and audit of TTPs.
Standards for communications.
Good practices, regulations and laws for the use of
communication services.
6.1.2. Operating principles of TTP
Issue
The need for common operating principles for TTPs.
Discussion
To be effective, TTPs must:
operate securely
operate within a consistent legal framework across the Community
offer a range of services, with a defined minimum
conform to European or international standards, where available
follow accepted good practice
allow for independent arbitration, without compromising security
be monitored by a supervisory board
be independent in its operation within accreditation rules
have a public policy on service refusals, if applicable
assume responsibility of liability within defined limits for
availability and quality of service.
The key questions include:
Has the TTP a contractual obligation of results in terms of
availability, integrity and confidentiality?
How and by whom are the loss and penalty determined in cases of
fraud, negligence or failure of the TTP?
What assurance to the final user is offered by the
accreditation of the TTP?
Requirements
Harmonised legislation to provide an appropriate framework for
arbitration, supervision and litigation
Model for TTPs meeting the requirements of users and
authorities.
Baseline for accepted good practice including a study of the
level of availability, privacy and security required for the
TTP by the final users and how much they are ready to pay for
it
Definition of quality of service, including availability,
confidentiality, response-time, rules of disclosure to law
enforcement agencies
Operational guidelines, including descriptions of minimum set
of services and standards to conform to
Standard clauses for the contract between the TTP and the user,
concerning the liability of the TTP.
6.1.3. Accreditation and audit of TTPs
Issue
The need for harmonised procedures for the accreditation and audit of
TTPs.
Discussion
Although the accreditation and audit of TTPs may be a local or national
responsibility, the procedures to be followed must be harmonised and
have a common basis in order to ensure mutual trust.
It is assumed that national governments will be responsible for
approving accrediting bodies. This may require to create new national
laws or to adapt existing laws.
From the TTP point of view, timely and fair responses to requests for
accreditation will be important.
From the user point of view, the agreed terms of the accreditation need
to be properly documented and inspectable.
To maintain public trust in TTPs, an audit process must be put in place.
Other issues are related to the
requests for accreditation from service providers in other EC
and non-EC countries
certification of certificates
authority and accreditor signatures.
Existing Community rules for accreditation (eg of test centers) should
be used as a basis for this work.
Requirements
Development of international guidelines for the accreditation
and audit of TTPs
Adaptation of applicable legislation or regulations to provide
an appropriate legal framework for use throughout the Community
and in the relations with third countries.
6.1.4. Use of names and certification of credentials
Issue
Use of names and of credentials (eg the public key) in international
communications.
Discussion
Name Assignment and Certifications Authorities are Trusted Third
Parties. They have been defined and, to some degree, specified by CCITT
X.509 "Directory - Authentication Framework". Their purpose is to allow
for individual and authentic addressing of communication system users
by means of their authenticated Distinguished Names. A user may ask a
Naming Assignment Authority for a Distinguished Name. The Naming
Authority will give him a Relative Distinguished Name and supplement it
by its own Distinguished Name to the user's Distinguished Name. Thus,
although a person may ask several Naming Authorities for the same
Relative Distinguished Name, each of his Distinguished Names will be
unique, because the Distinguished Names of the Naming Authorities, by
definition, will be unique. The concept of an agent that handles the
interfaces between the end-user and the naming authorities is important
in providing a user friendly interface to this process.
The two functions of name assignment (or identification) and
certification are "binding" operations. Name assignment binds a
particular name to an entity (a person or device), and certification
binds certain credentials to a name. The diagram below shows the double
binding process.
A Distinguished Name and a unique cryptographic Public Key are made
part of the user's Credentials. The Public Key can be used to verify a
(ciphertext) signature which has been effected by the user's
complementary Secret Key (not contained in the Credentials).
Credentials are signed/certified by the Certification Authority. Thus
the user's Certificate consists of the Credentials, their signature by
the Certification Authority and, if necessary, the Certification
Authority's own Certificate. The user is given his certificate,
preferably in a tamper resistant chipcard.
After signing a message with his Secret Key the user concatenates his
Certificate to the message and its signature. The receiver of the
signed message can use the Certification Authority's widely available
Public Key to verify the signer's Certificate and Public Key. With the
latter the authenticity and integrity of the message can be verified.
The security services related to name assignment and certification need
further standardisation as well as legal recognition, both preferably
on an international level.
The United States have already begun to apply relevant US national
standards. Therefore, corresponding standardisation action should be
started on a European level. Its results should be made the basis for a
European contribution to international standardisation. At the same
time an interface toward a legal usage of naming and certification
services should be defined to ease the adaptation to and to provide for
the compatibility of the various EC legal systems.
Other related issues are pseudonyms and anonymity, for which a business
requirement has been identified. Different degrees of anonymity should
be provided for according to the specific needs in digital cash,
tele-shopping, registration in data bases for statistical purpose etc.
As described above, the ability to sign a piece of data is to be
distinguished from the authority an entity possesses. This
relationship is depicted below:
Requirements
Development of guidelines covering the use of names, by specifying:
o naming principles (hierarchy of naming authorities)
o format of Distinguished Name/Relative Distinguished Name
o requirements to meet by naming authorities
o requirements to meet by the user
o requirements for the protection of the name against changes
o handling protocol between naming authorities, user and
certification authority
o change of names
o recording of information pertinent to de-referencing of names
(by the Directory).
Development of guidelines covering the use of certificates, by
specifying:
o certificate semantics and format
o certificate handling (production, issuance)
o signature and its certification (method, process)
o authentication of certificate owner (method, process)
o expiry dates
o renewal of certificates (periodical)
o renewal of TTP public key (periodical)
o handling compromises of secret information (secret keys, PIN etc.)
o revocation of certificates and notification
o black listing and execution of certificates
o security requirements to meet by certification authorities.
6.1.5. Key management service
Issue
Key management services for signed and privacy enhanced communications
between organisations and individuals.
Discussion
General
Definition of responsibilities and obligations for services
that provide trust in the integrity of communications and those
that provide confidentiality.
Development of codes of practice for the generation,
distribution and storage and destruction of keys for both
purposes (integrity and confidentiality) in environments that
have varying levels of assurance.
Definition of escrow services. Some of the secrets may be of
paramount importance and may have to be distributed among
trusted parties (distributed-secret-escrow agents) so that none
of the parties know the complete secret and not less than a
defined minimum of those trusted parties must contribute their
part of the secret in order to produce the complete secret.
Mechanisms and criteria for assessing applicants suitability
for the use of TTP services. Not all potential users of TTPs
may have the necessary attributes (eglegal status, financial
viability, etc.). This essentially applies to TTP services for
closed user groups.
Integrity and digital signatures
Relationship between the key management functions, directory
management and certification needs to be clarified.
Timeliness of issuing signatures when an application is made -
verification of "signature worthiness" of applicant - periodic
review of "worthiness" of existing constituency of signature
holders.
Removal of signatures from "active list" and initiation of
"attempted illegal use" audit. This is a "certificate
management" - "key management" interface management issue.
Privacy Enhancement
Management of the domain within which the confidentiality keys
are valid. The identity of authorised subjects within the
domain: Key distribution to those authorised subjects (people
and automated processes.).
Should the TTP define the domain as well as manage it: if not
should another TTP hold the definition (ietable of authorised
subjects).
Assessment of the assurance level of the domain within which
the confidentiality keys are to be used, ranging from vetted,
cleared people with physical and logical access controls to
un-cleared people in open environments.
Domains are an important concept in confidentiality provision. The
following questions require an answer:
1. What is the scope of validity of a domain for certification and
the scope of validity for a confidentiality mechanism? Who manages the
domains? Who manages inter-domain issues? Does each domain need a
different TTP?
2. Who determines the scope of a domain? Who is authorised to
change it? (for both certification and confidentiality.) Is a domain a
"contract", and under which circumstances?
3. What are the assurance criteria for domain management? Who
audits a domain manager? Who maintains the principles of domain
management as technology changes?
4. Should domains for certification and confidentiality be
different in view of the fact that a confidentiality domain will be
transitory and that therefore key management principles are different?
5. When should the use of escrow services be mandated to ensure domain
integrity.
Requirements
Single digital signature mechanism and specifications
preferably consistent with other leading countries
Adoption of a confidentiality algorithm standard and
specification, and a key distribution mechanism based on an
asymmetric public key algorithm
Establishment of "domain assurance" levels and criteria for
TTPs to use for confidentiality key management purposes
Codes of practice for TTPs engaged in key management
activities, and the provision of escrow services and the
methods by which those codes of practice would be audited
Set of criteria for mutual recognition between TTPs acting on
behalf of organisations who wish to communicate securely.
Merging of signature directories and secure inter-domain
communications are fundamental issues.
6.1.6. Management Services for Names and Credentials
Issues
Whenever parties engage in bi- or multi-lateral electronic
transactions, they need beforehand some non-transient information on
their partners (such as identity, legal representatives or any other
kind of credentials eg public keys). This does not imply permanent
recording of such information.
Discussion
Management Services for Names and Credentials are established to
facilitate access to this type of information, whereby service
subscribers are provided with up-to-date data pertaining to the parties
listed in there. Because partners may conclude the transactions on the
basis of the information (at the minimum, the authenticated identity of
their partners) they are provided with, and because some of the
information stored by such a service may be protected by privacy
legislation, the service itself must be trustworthy and the data it
provides correct.
Management Services for Names and Credentials keep objects which are
referred to by "Distinguished Names". A Distinguished Name is unique to
a communication subject. A subject may have a number of (unique in the
above sense) "Alias Names". It is required that the service can
reference Alias Names to their subject's natural names. An Alias Name
may be a pseudonym. Whether or not the service is allowed to reference
a pseudonym and let inquirer know the result will depend on the
subject's data privacy rights.
If, as is likely going to be the case, there is more than one provider
and certifier of information, the Management Services for Names and
Credentials must be part of a network of information suppliers. Network
can be organised according to either geographical distribution or
business sector or information taxonomy or all three of them. Users may
have to subscribe to more than one such service or service type (eg
"Public Key directory for the banking sector"). Users may have a number
of different roles in an enterprise, each of which needs access to a
set of different services. In the case of a multiple service and
network of providers, one can speak of a system of Management Services
for Names and Credentials.
Because of the damages that could be caused by the distribution of
false information, the Management Services for Names and Credentials
must apply due care in its operations. In the case of proven negligence
the service could be held liable if inaccurate information were
provided. The creation, update and destruction (eg in the case of
certificate revocation) of information is either mandatory or
forbidden. In critical cases (eg; certificate revocation), the update
may have to be notified to subscribers without request.
The management of the Management Services for Names and Credentials
must thus be accountable. There must be legislation, rules and
regulations governing it.
Obviously, the service must cover and be available on an international
level.
Obviously there is the issue of standardisation of the service at the
user end (external interface) and between service providers (internal
interface).
Since international Management Services for Names and Credentials are
akin to internationally distributed data bases, they face the same
legal questions: who is legally responsible for the information
(between the creator, the storer, the distributor)?
Market pressures are bound to promote the advent of sectorial
Management Services for Names and Credentials, and possibly their
subsequent interconnection or integration into larger network. In order
to avoid fragmentation among proprietary services, there may be a need
to lay down base rules for naming, binding, certificates and the
associated IPR rules.
Requirements
The basic issue is the provision of efficient Management Services for
Names and Credentials, supplying various types of information is a
requirement that needs rapid and efficient satisfaction.
Provision of Management Services for Names and Credentials, to
include:
o Identity (cf. issues on name authentication and referencing
of Alias Names)
o Name information (to enable the correct forwarding of
messages (eg static digital network or GSM communications)
o Credentials such as public keys or any signature-verification
data.
Interoperability specifications and standards.
Harmonisation of legislation , rules and regulations concerning
Management Services for Names and Credentials, intra-Community
and extra-Community.
6.1.7. Legal services
Issues
Legal TTP services are offered essentially to prevent disputes, or
resolve them in a structured, efficient, accepted by all parties
involved and non-controversial way.
Discussion
Prevention of disputes arises essentially from the very ability of
legal services to assign responsibility and fault, should one occur.
Thus, legal services must essentially be able to verify the
application or non-application of rules and the evidence
pertaining to them.
Legal services may or may not generate the evidence itself. In
other words the question is whether a third party offering a
trusted service also arbitrates litigations pertaining to its
principal service. For example, does a signature generation
service also provides signature-verification services?
Two issues arise in this topic:
What is the legal status of evidence generated by TTPs ? Does
it imply liability? What is the legal status of decisions made
par legal services when they are not judicial but private(and
corollary, what are the rules of appeal)?
If evidence is not generated by the arbiter, how is the
evidence acquired and authenticated and how is responsibility
assigned? One is faced with the general problems of TTPs :
operating rules and legislation, standardisation,
inter-operability and accreditation.
Requirements
In addition to the ones concerning operation legislation,
standardisation, inter-operability and accreditation, Community actions
specifically aimed at legal TTP services could focus on
the harmonisation of legislation on the legal status of
evidence generated by any TTPs and especially on the intra- and
extra- community recognition thereof. This probably implies the
settlement of the accreditation question
the promotion of community-level information technology
litigation services modelled after existing international
bodies such as the International Chamber of Commerce
Essentially focus on - and restrict actions to the problems
created by the fastest-growing services based on Public Key
cryptography, eg verification of signatures, certificates,
etc.
6.1.8. Guaranteed date and time stamping
Issue
Guarantee of unambiguous date and time of submission and receipt.
Discussion
In electronic communications, a digital equivalent is required for the
date and time stamp in the paper world. Such a time stamp must be
issued by an organisation that is trusted. If time stamps are simply
attached internally by the sender or receiver of a message, then, in
case of litigation, it will be difficult to establish if these were
erroneous or have been forged.
In direct communications, both parties may agree on a mutual time
reference, but in store-and-forward type communications time stamping
by a third party is particularly important.
Depending on sectoral differences, different granularities of time
stamps may be needed. Some sectors may be content with the date, some
with the nearest second.
The third party must be trusted by both parties, or at least the
dispute resolution mechanism, for the correctness of the date and time
supplied, but also for the confidentiality with which they handle the
contents of the correspondence.
The time stamping schemes proposed so far are impractical, because they
require the recording of the time stamp and the document (or at least
its digest).
Requirements
Development of an approach to date and time stamping for
time-critical transactions and applications, including a range
of granularities of timing.
International harmonisation of rules and services for time
stamping, with the objective of achieving general recognition
and acceptance of time stamps and their provision by suitably
accredited service providers.
International harmonisation of rules and services for time
stamping, with the objective to achieve general recognition and
acceptance of time stamps issued from different service
providers.
6.1.9. Negotiable document transaction
Issue
Some conventional physical documents, such as eg the bill of lading and
the bill of exchange, must be negotiable. The possession of the
document must allow to give title to anybody who can present it. The
electronic equivalent is also needed.
Discussion
Negotiable documents entail that their physical uniqueness must be
protected against duplication; it must be easy to distinguish a copy
from its original. This is the case with hand signed paper documents;
the hand-written signature cannot be copied such that the copy could
not be distinguished from the original. True, a digital signature does
protect the integrity of the signed electronic document; however, it
can be easily copied so that the physical original cannot be discerned
from its copies.
This impedes the usage of electronic communication eg in maritime
trade. The sender of a cargo produces a unique document, the bill of
lading, hands a copy to the shipper and sends the protected original to
the receiver. The receiver may trade the original and its title or keep
it. Whoever presents the original to the shipper will be handed over
the cargo.
The shortcoming of the paper bill of lading is the fact that it takes
time to transport it, particularly as it is a piece of value and must
be well protected. Therefore, an electronic substitute should be found
that protects its originality and can be transacted in
telecommunication systems.
The Document originality can be provided by the use of chipcards. A
chipcard can store a secret and protect it. The secret is essential to
authenticate the signature of the document. As the chipcard cannot be
explored, the secret cannot be transacted into another chipcard. Thus
it is practically impossible to duplicate the original chipcard. Such a
chipcard can be made a substitute of the negotiable paper document.
In order to produce and to transact chipcard documents via
telecommunication trusted equipment is needed. It Should be operated by
trusted third parties, eg by public notaries. They may be bestowed with
the responsibility to produce chipcard documents and to transact and
receive them by means of their trusted equipment. Transaction may be
performed by depleting the original chipcard at the sending end,
securely transmitting its information and feeding it into another
chipcard at the receiving end. This process must be protected for its
integrity and confidentiality. Not even the "public notary" must be in
a position to alter the information.
Beside issuing negotiable documents there are other ways of securing
correct title to property. Instead of a person proving his claim by the
presence of a token, the claim may be addressed to a distinct person
who then is expected to prove his identity.
This - continuing with the above example - is the case with the freight
bill, which is another way to deliver a cargo to the authentic
receiver. However, the freight bill cannot be traded as effectively as
the bill of lading, although, by omission of additional chipcards and
other trusted equipment, it makes it easier to design the electronic
substitute process.
One should expect that, unless proper electronic documents will be
available, the use of paper for negotiable documents will be continued
at the expense of effectivity and more paper.
Requirements
Development of techniques for the establishment, handling and
recording of Electronic Negotiable Documents.
6.2. Supply related issues - Evaluation of trusted solutions
6.2.1. Perceived Requirements for trusted solutions
Issue
Need of users for trusted components, products, systems, services and
applications
Discussion
The trustworthiness of a given information system and its use imply an
evaluation process. Depending on the needs of the customer, either
vendor declarations or formal certification procedures may be needed.
The choice of either of these mechanisms will depend, inter alia, on
costs and delays involved in formal certification processes. A major
factor is also the recognition of certificates in other markets and
their utility, eg in protecting the user or vendor against liability
claims, where it is possible to do so. In the safety related area, the
trustworthiness of the development process and its execution are also
critical factors and need not only evaluation but also auditing. The
qualifications and experience of project managers and safety auditors
are also factors which affect the resultant level of trust in the
system.
Requirements
International agreement on criteria and evaluation methods, and
mutual recognition of test results
Clarification of the commercial value of "certified products",
eg in terms of liability limitation
Clarification of the status and implied liability of vendor
declarations
Development of principles for liability definitions for
multi-level, distributed services
International agreement on the methods for evaluating safety
critical system development processes, and the qualifications
and experience needed for individuals to become managers and
auditors of such activities.
6.2.2. International harmonisation and mutual recognition
Issue
At the moment different evaluation criteria and evaluation schemes are
in use. These are especially the US, TCSEC, the European ITSEC and the
Canadian CTCPEC. Other countries like Japan have first drafts of
criteria. This situation is not acceptable to international
manufacturers who would have to perform different evaluations against
different criteria and schemes for a single product. This will
unnecessarily increase the cost of the product without enhancing the
security features.
Discussion
Different activities have already been taken or are currently on the
way to harmonise evaluation criteria and evaluation schemes. The ITSEC
and ITSEM are a result of such a harmonisation process within Europe,
and the United Kingdom, France, Germany and the Netherlands are
discussing the mutual recognition of each other's certificates based on
ITSEC and ITSEM, with the intention of achieving agreement in 1994.
In North America, the US and Canada co-operated in the production of
the first draft of the Federal Criteria. Following publication of the
Federal Criteria in early 1993, it has been decided to make all effort
to align the ITSEC and the Federal Criteria to produce a joint
European/North American set of Criteria compatible with existing
practices in both North America and Europe in 1994. This is the first
step towards international harmonisation between the two groups.
Based on these activities, ISO/IEC JTC1/SC27, Working Group 3 is
working on an ISO standard for evaluation criteria.
But harmonisation of the criteria is only the first step to reach
mutual recognition of evaluation results. It will need to be
accompanied by agreement on methodology, schemes and certification
bodies. Only then will mutual recognition between North America and
Europe be possible.
Even within the European Community mutual recognition has turned out to
be an arduous task and mutual recognition of certificates is not yet
achieved, mainly for legal reasons. This indicates that world-wide
mutual recognition of certificates requires many, yet unknown, problems
to be solved.
Some activities for international harmonisation of evaluation criteria
and evaluation processes are currently in progress but only one result
of such a process which seems to be stable and widely accepted has
until now been achieved. This is the ITSEC. But even in Europe the
subject of harmonising the evaluation process turns out to take much
more time than the harmonisation of the criteria. The reason for this
is that the ITSEC could be adopted by different countries quite easily
without significant changes to their existing evaluation processes (and
almost no changes to the certification schemes). The real changes to
the established practices come up when you try to harmonise these two
topics, since this results in significant changes to evaluation and
certification practices and may even have legal consequences.
Looking into the international arena, the only evaluation process and
certification scheme in the area of communications-security which is in
place for a significant time is (beside the European one) the US TCSEC
evaluation scheme. But the focus of this scheme is mainly to evaluate
and certify commercial operating system products suitable for
government applications. Currently the US are trying to widen this
scope with the Federal Criteria and the accompanying trust technology
programme of NIST whose main goal is to establish a more commercially
oriented evaluation and certification scheme with industrial evaluation
facilities like the ITSEF's in Europe. Both the Federal Criteria as
well as the trust technology program look like a much better basis for
international harmonisation but nevertheless a considerable amount of
work is necessary to achieve this goal. But since both the new criteria
as well as the commercial evaluation process are not yet established in
the US there is an opportunity to influence this process. The fact that
the US sponsors two parallel ITSEC evaluation of their TMach operating
system show clearly that the US side watches the European activities in
this area very carefully and tries to get as much information as
possible (both positive and negative!) about the European evaluation
process.
Even for the old TCSEC evaluation scheme the US showed great interest
in comparing this scheme with the European ones. Joint tasks between
the CEC and the US side represented by NIST and NSA material about the
various evaluation processes was presented. This shows a will for
co-operation which is clearly based on the fact that US manufacturers
sell more communications-products in Europe than vice versa. Other
countries like Sweden, Australia and Japan watch this process very
carefully.
Requirements
Establishment of conditions and procedures for mutual
recognition of evaluations
Establishment of conditions and procedures for
EC-wide/international evaluations
International and EC standardisation of evaluation criteria and
methods.
6.2.3. Vendor declarations
Issue
For applications that need security, but not the kind requiring formal
evaluations, vendor declarations are used. These are, however, at
present not defined in terms of what they cover and what assurance they
offer compared to formal evaluation.
Discussion
Between the requirements of governments for formally evaluated
solutions and no evaluation at all, there is a large part of
applications used by business and the general public. Vendors do
address security and provide some level of assurance, but its
significance, particularly in an open environment is not obvious.
Requirements
Development of an agreed definition of scope and liabilities of
vendor declarations for secure solutions.
6.2.4. Evaluation of applications
Issue
The user interest is finally with the security of his application. The
use of secure products and services is a necessary but not a sufficient
condition to meet the user requirements for the protection of the
application.
Discussion
At present, evaluations and certification schemes address primarily
products and systems. Communication services are only partially
addressed and applications running on the products and via networks (in
particular public networks) are left to the user to address. However
with the restrictive handling of confidentiality mechanisms and
opposition against end-to-end encryption, the user is left exposed.
Requirements
Extension of ITSEC criteria and methods to cover services and
applications.
6.2.5. Evaluation of communication services
Issue
With the ITSEC and ITSEM Europe has already a scheme for the
independent security evaluation of IT-products and (to some extent)
IT-systems. At the moment this scheme does not fully cover the aspect
of the evaluation of telecommunication services, but extensions to this
scheme seem possible which are able to address the items not yet
covered by the current ITSEC/ITSEM scheme.
Discussion
The main item where communications security is considered in the public
is in the area of telecommunication services. Especially when people
send sensitive information to others using telecommunication services
they are interested that this information
gets to the intended recipient(s) in time
is not altered by the service
it not received by anyone else than to the intended recipient(s).
Not all these aspects are of the same importance for each kind of
communication. The level of importance is highly dependent on the kind
of information one wants to transfer.
The use of telecommunication services grows rapidly as more powerful
equipment and services become available. A lot of companies and
especially administrations have policies which forbid the use of
specific telecommunication services for highly sensitive information
since they do not trust the communication services providers that some
of the above mentioned security issues are enforced adequately. They
use conventional techniques for the exchange of sensitive information
with conventional security measures (eg sending sealed letters by
registered mail or by courier).
In a time where industrial success depends on the fast exchange of all
types of information these conventional techniques become more and more
unacceptable. So the service providers will incorporate security
provisions within their services. But nevertheless a lot of companies
(and the national governments) will continue to use the conventional
techniques since they do not trust those security services unless they
are under their own control or being verified by independent experts.
Providing a security service as part of a telecommunication service
will normally result in all entities involved in the provision of the
telecommunication service being involved in providing the security
service. Additional entities may even be necessary (like eg a trusted
third party for key management issues or authentication services).
These entities use systems and products to provide their part of
telecommunication (and security) service. The total service is
therefore provided by an interaction of all the entities.
The current ITSEC/ITSEM scheme is aimed at the technical evaluation of
security measures within products and systems. It does not cover
organisational, personnel, administrative or non-IT related physical
security measures. Still many security services for telecommunication
will heavily rely not only on IT-security measures but also on the
above mentioned other security controls. For example a trusted third
party will surely need extensive organisational, personnel and non-IT
physical control. So it is clear that an extension to the ITSEC/ITSEM
evaluation scheme is necessary to cover these aspects. The following
section tries to identify how this can be done and which areas are not
yet covered.
Looking at communication services one can easily identify several
different types of communications-products and systems which have to
co-operate to provide the service. This includes for example
the end user equipment (telephone, modem or even his computer)
digital dialling switches
data concentrators
conventional computer systems with databases for eg user
profiles, directory information
conventional computer systems providing mailbox services
the communication media
gateways etc.
For a specific telecommunication service one can identify the task each
of these products or systems has to fulfil to provide this service. The
same is true for security services. Each component involved contributes
for one aspect of the security objectives or functions. These will then
differ significantly in the functionality as well as in the assurance
level required. Various topics regarding this may lead to problems, for
instance:. assumptions on the security provisions to be taken in the
environment of the product or system. Some of the security measures
will heavily depend on hardware features. Evaluation of non-IT security
features, like effectiveness of personnel and administrative security
measures has to be established. The integration of all security
measures has to be checked for consistency, completeness and
effectiveness. For the evaluation of a communication service,
therefore, different evaluations of systems involved in providing the
service are necessary before the whole service can be evaluated.
Requirements
Extension of ITSEC to cover more explicitly evaluation of
hardware security features
Establishment of a formal accreditation scheme for secure
communication services
Development of accreditation guidelines for the
telecommunication sector
Trial service evaluations for existing telecommunication
services
Articulation of the requirements of service evaluation.
6.2.6. Trusted network management
Issue
Trusted Network Management systems need to maintain a given assurance
level while optimising the use of communication assets to achieve good
economics and quality of service.
Discussion
There is a growing dependence in the security of network management
systems for managing and controlling the provision of
telecommunications. This is due to an increased reliance on distributed
systems, the provision of new value added services and operations, and
on the increased sophistication and richness of network and service
functionality. Such dependency is placing greater demands on
performance and quality of service. Tomorrow's electronic highways
should be managed networks that should ideally interoperate in a
seamless way to ensure efficient "self-healing" network operations and
flexible creation and provision of a broad range of services, including
those supplied by third party suppliers. The management of
telecommunications systems security is thus growing in complexity
commensurate with the growth in communications systems and the
associated services and business use.
The major network management issues involve the protection of
electronic information in storage, in transmission and being processed.
Information used and applied to the controlling and maintenance of
networks and services. Information that is used as input to the process
of decision making and operational support, and which is also used as
input to the emerging new wave of intelligent systems and
communications. The provision of appropriate and effective network
management solutions is fundamental to the success of the future
telecommunications infrastructure for Europe.
Given the complex telecommunication systems that are evolving, the
interrelationships that are needed for multi-domain working, grade of
service requirements against a future European framework for
legislation and regulation needed to maintain multi-domain working, the
provision and maintenance of network management security the question
of security evaluation is a key issue. What is the alternative if
evaluation of network management security is not carried out ?
There are a number of constraints imposed by end users, service
providers and network operators on the provision of security for
network management eg concerning the employment of intelligence in
networks and the idea of securing shared resources, dealing with
different threat analysis and the responsibility for service
liability.
Requirements
Methods for network management evaluation
Extension of ITSEC to cover the evaluation of network
management systems
Definition of Functionality Classes (or Protection Profiles)
suitable for systems, products and services used in network
management systems
Accreditation guidelines for the trusted network management
Trial evaluations for existing network management systems.
6.2.7. Modifications to evaluated products and re-evaluation
Issue
The shortening life cycle of products and the rapid evolution of
services and applications due to competitive pressures implies the need
for frequent adaptations and therefore re-evaluation.
Discussion
The impact of Open System, with its emphasis on portability and
interoperablity, has resulted in many new products being incremental
releases of existing products, for new operational platforms,
applications, etc. There may be multiple releases or versions of a
hardware or software solution in a short period of time. The
maintenance issues of many similar and homogeneous configurations
making up a product line is being understood.
The evaluation and certification of the product may take longer than
the period between releases or updates to the solution. A certificate
currently applies to a specific release or version. Changes may
invalidate the certificate.
There is a need to devise a method to cope with these product or system
changes so that the certified status of a product may be maintained.
Particular concerns include:
Scope of the evaluation - Is an evaluation necessary for every
single platform-dependent configuration of a product already
certified?
Assurance - Is it necessary to have an entire new release
evaluated again in which only a small modification occurred (eg
a spelling mistake in the user interface)?
Re-use of previous evaluation work and results - Must the
evaluation of sensitive and relevant but unmodified components
of a product be repeated?
ITSEC and ITSEM have created a good basis on which to identify the key
issues of re-evaluation and subsequent re-certification.
Practical experience of re-evaluation is limited but the problem may be
mitigated by identifying key requirements. One approach is to
categorise code in the security Target of Evaluation (ITSEC-TOE). This
"Traffic Light" approach includes:
a) GREEN code that has no bearing on the security functionality of
the product or system and that may be modified in future releases
without impact on the security of the product or system.
b) YELLOW code that might impact the security of the product or
system and that must be inspected by an independent party (such as an
INSEF) before re-certification can be considered.
c) RED code that is critical to the security functionality of the
product or system for which may modifications may require re-evaluation
of the whole product or system.
This structure will assist developers, evaluators and certifiers in
containing the level of necessary re-evaluation commitment following
any modifications.
Experience is available on the parallel field of quality evaluation of
software products. A framework for re-evaluation is outlined in ISO9126
and associated processes. It is likely that the impact of software
quality on "operational" correctness of security products will force
alignment of the various processes.
Requirements
Effective feedback from existing Community schemes, both
national and ITSEC related, on the problem of re-evaluation
Product-line structuring, understanding the current strategic
development of IT products and how this is likely to change
product cycles
Closer harmonisation of the evaluation process of all system
and product "qualities" (performance, reliability, security)
and how these may re-enforce each other in any re-evaluation
actions
Development of criteria for re-evaluation decisions
Development of "critical event" approach to re-evaluation
development of self-diagnostic techniques and procedures for IS
maintenance.
6.2.8. Performance reporting for trusted products
Issue
Obligation to take corrective action in the case of faults found in
evaluated products.
Discussion
Despite the successful evaluation and certification of a product or
system, there is a small chance, smaller with the higher assurance
levels, that a security related fault will be detected. The Developer
is likely to have this fault reported to him and ought to take steps to
correct this fault as quickly as possible and issue a new release of
the software or hardware. The Certification Body needs to be informed
of the fault and the steps the Developer intends to take to correct the
fault. The Certification Body and the Developer need to discuss the
need for any re-evaluation work and agree a timescale for this. Where a
Developer is unwilling to correct the fault, the Certification Body
needs to decide whether to withdraw the certified status and publish
the fact that a fault exists, although not necessarily the details of
the fault.
Requirements
Incident reporting system for Certification Bodies
Definition of user and supplier obligations to report incidents.
6.2.9. Rationalisation of evaluations
Issue
Speeding up and lowering cost of evaluation and thereby improve
attractiveness of security evaluations.
Discussion
Two key factors to the success of a security market enhancement are
that evaluations are approachable and that the products or systems are
developed in a way that is meant to meet the ITSEC requirements
beforehand. It must also be understood that in many industrial cases,
security, while indeed an important feature of a product or service, is
only one aspect of an even larger target which is product quality or
the quality of service.
Considerable work has been carried on in the broad field of software
quality and its engineering which might be valuable to the security
community.
Three standards address quality through an evaluation and certification
approach, namely ISO 9000, SEI CMM and ISO 9126, at the organisation
level, at the process level and at the product level, respectively.
Those standards are well established and the demand for certificates
based on them is growing rapidly.
There is an urgent need to consider the harmonisation of the ITSEC and
ITSEM contents, to take into account to a much larger and clearer
extent the benefits brought by those standards to security and to help
reduce costs and needs of several, disconnected or even conflicting
evaluations and certificates. The ITSEC approach seem to be
sufficiently well accepted today to consider its integration into a
broader context.
A closer technical look at quality standards and ITSEC/ITSEM taken
together shows that, although they are all basically based on the same
fundamental ideas and principles, there are residual conflicts when
evaluations are to be carried out, either due to different requirements
or to different evaluation approaches.
There are many ways in which the ITSEC could be turned more compatible
with the quality certification domain. The following steps seem
relevant:
While preserving the current technical principles and
requirements, a better distinction between specifically
security related requirements and more quality related should
be made so that it becomes clearer, if not explicit, what the
various other evaluation systems and associated requirements
can cover or contribute to.
As all standards evolve, the ITSEC and ITSEM will have to be
updated, at the level of the actual required deliverables for
instance, to be directly compatible with what the other domains
require, while still keeping its specificity.
As the certification bodies of the quality fields become
Trusted Third Parties for the ITSEC community, parts of the
current ITSEC requirements might eventually be replaced by
requirements for relevant quality certificates, and hopefully
vice versa.
This plan suggests that the first step is one to consider directly today.
Few people involved today in security and its evaluation have a
software quality background, which has impeded until now the
harmonisation of the ITSEC with the other standards. Awareness raising
actions on this topic should be considered with a fairly high priority
level.
Requirements
Alignment of security evaluation criteria and methods with
those for quality and safety
Establishment of portability of results between quality of
service, safety and security evaluations.
6.3. Supply related issues - technological change
Issue
Changes in the way in which technology is used throughout society will
result in demands for new technological approaches to information
security.
Discussion
Over the next decades it is to be expected that the macro economic
climate will change dramatically. This is mainly driven by the shift
in geographic location of the generation of the worlds GDP from North
America and Europe to a more even spread, with the Pacific rim
countries producing a larger share. The health and nutrition problems
that will face the developing world will become more acute as a greater
fraction of their population enters adulthood.
Information underpins these processes in a number of ways. The
financial aspects of global businesses will become vital to their
survival and the timely, accurate and where appropriate private
communication of financial information on a global and adaptable scale
will be critical. Health care information will need to be routinely
available as health carers deal with the health problems of an
increasing number of mobile people. Transportation of food to areas in
need will require logistic information to be available in remote and
underdeveloped parts of the world quickly and accurately.
The developed world will make increasing use of their less structured
employment patterns to earn money in a variety of ways and in
performing a range of tasks, less and less to do with manufacturing.
Success will only be possible by the exploitation of mobility and wide
bandwidth telecommunications services. It has the potential to provide
quality of life together with high productivity. The effectiveness of
this approach, in providing a method of revenue generation, will
depend, inter alia, upon the performance, reliability and security of
the information and transportation infrastructures.
Driving technologies within this scenario are:
Wide bandwidth telecommunications, including
o Multi media applications and communications
o Global teleconferencing
Mobile services for all applications
Gigabyte storage in portable systems
Robotically controlled transportation mechanisms.
It will be essential for a range of security and safety features to be
embedded as a matter of design in all infrastructures, services and
applications for them to deliver the benefits that are expected by
their users.
Requirements
Wide bandwidth telecommunications.
Bandwidth will become a commodity on telecommunication systems.
The added value in using it comes from the quality of service
provided. One aspect of such quality is that of security. To
provide security on wide band public switched networks,
investment is needed that is focused on those aspects of
security that are required by a) the telecoms service provider
for his own purposes and b) the end user to support his
application. Community wide and international specifications on
security in ATM, SDH and associated signalling structures will
be necessary.
Multi media applications and communications
Multi media applications will integrate all known
representations of information into files, documents, messages
and displays. Representations such as voice, audio, still
image, text, video and graphics will become interchangeably
available from a range of equipments that users interact with,
including mobile telephones, personal computers, television
sets and personal communicators. All aspects of security must
be incorporated for potential implementation an all of these
systems in order that a user may implement a level of security
service appropriate to the application and the environment.
A key issue is to maintain the "veracity" of the information
transmitted. Veracity is the feature of a piece of information
(eg a video sequence) to be true. Veracity is a wider concept
than integrity which is only concerned with the protection of
information during transmission and storage.
Another issue is concerned with the protection of information
through copyright. Without suitable technical means to
safeguard the interests of the information owner, the evolution
towards the information society will be seriously hampered.
Global teleconferencing
Teleconferencing is becoming the substitute for travel. In
order to make it really cost effective all the above
applications, multimedia, mobility, access to mass data and if
necessary access to one or more parties who are travelling in
private vehicles need to be incorporated within the
teleconferencing application. True geographic independence will
come only if such an application works on a global scale and
provides all the security services that are needed by the
community of users. Such an application will demand the
integration of the security services provided for each of the
sub-applications alone. Specifications to allow such
integration should be defined and the technology to provide the
security functionality developed.
Mobile services for applications.
Mobility provides the end user with geographic independence.
The price paid for this independence is infrastrucural
information and process that allows his demands on the
infrastrucural services to be met wherever he is. Such
information and process has to, by design, have security
features incorporated. At the community level extensions of the
GSM concepts to allow all applications to function securely in
the way telephony does on GSM will require significant
technological investment.
Mass data storage and communications in portable systems.
Access to huge amounts of data from a mobile terminal will be
essential. Such data needs to be communicated securely,
whether it be held in volatile memory, in the form of
mechanically read ROM or transmitted over a network.
Specifications for securing such data need to be developed as
do the necessary bulk encryption services for huge data volumes
. The technology components of such services will be a major
challenge and need to be defined now.
Robotically controlled transportation mechanisms.
Human involvement in controlling mass transportation mechanisms
is already decreasing as technology becomes more reliable. If
human involvement for individual transportation is to shrink
in the same way then mass production of cost effective safety
assured technologies will be essential. Collision avoidance ,
guidance and navigation systems will be essential parts of
every domestic vehicle and the requirements for the information
safety and security critical elements of such systems need to
be defined, standardised and developed .
7. Liability related issues (Consequences of Security and Safety Incidents)
7.1. Framework for international law relating to IS
[tba]
7.2. Legal provisions for liability in global services
Issue
Liability is a difficult issue under the best of conditions, but in the
context of global telematics services it remains a matter of great
concern but so far few advances have been accomplished.
Discussion
Liability is dealt with normally by a mixture of laws, regulations,
conventions and counselling reinforced by risk sharing arrangements, in
particular insurances. Legislation has so far evolved slowly and is
still far from the point where it can deal effectively with the issues
on a national level. When it comes to deal with liability under
international law things become even more difficult. The same applies
to regulations. It is only the insurance industry which has started to
cover some of the risks. With the rapid increase in the use of
telematics clearly there is a need to come to a better understanding of
liability in the context of world-wide networking of services.
Requirements
Development of international framework for private law, especially liability
Application of "Verursacherprinzip"
Under this kind of liability the source of the information has the
responsibility to assure the proper use, its accuracy and the
compliance with the law and regulations. In the case of intermediaries
adding value the principle would be carried forward since the quality
of the information may have been significantly changed.
Application of "User Principle"
In this case the user is made liable for the what is done with the
information and its consequences. He has to take all necessary steps to
ensure that the information is correct and applicable to its use.
7.3. Insurance issues
Issue
[tba]
Discussion
For the public safety risks are addressed by the Insurance Industry
with the premiums calculated on the basis of the assessment of risks
reflecting past experience. For the risk associated with information
systems there are only the beginning of an extension to cover this kind
of risks. As the taking out of insurance policies is a natural, or
partial alternative to IS measures, an improved methodology for the
assessment of risks is important in adopting the most economic and
practicable solution. Of course, there are some application areas where
this approach is not or only partially acceptable.
Requirements
[tba]
7.4. Monitoring of compliance
[tba]
Development of framework for the monitoring of compliance to
regulations, recommendations and good practices
7.5. Metrics for loss assessment
Issues
There is a fundamental need for guidance of any kind on how to access
the loss and damages an organisation might face and how much of this
might be addressed by evaluation and certification. Such metrics would
increase the perception of the value of a formal evaluation scheme.
Discussion
Action is necessary to ensure the effective international exploitation
of the security product evaluation and certification scheme. There must
be a competitive business advantage of developing, implementing and
using certified security products, and there must be a well understood
correlation between a certified security product and the problems that
it can solve.
Progress is hindered by lack of independent measures of the business
relevance of the certified product.
Measures can be obtained by:
vendor/user studies (from actual risk assessment)
product comparisons (using loss reduction models)
insurance contracts (both direct and consequential damage
assessment)
vendor cost/benefit profiles (market penetration, Software
engineering costs, etc.).
Such studies would prove invaluable to the SMEs who cannot justify
extensive Security controls yet are probably the most vulnerable to the
consequences of information abuse.
The ITSEC actions should reflect a balance between the product based
concepts of security objectives (codes of good practice) and
quantitative risk/loss assessment.
This should result in measured, affordable controls as a prerequisite
to developing a European and international security market.
Requirements.
Such a quantitative approach must address:
mapping, certified product features to specific security incidents
common, product independent risk analysis processes
insurance processes recognising the advantages of certified products
security incidents are the recognition by the legal, regulating
and financial community.
A short term approach would be to raise awareness of the security
exposures of using poorly complying (non-assurance, non-certified)
products.
8. Spectrum of Measures
8.1. Common Framework and Consensus
Objective
To provide a minimum framework for trusted information and
communications services on an international scale and to establish a
multi actor consensus on essential requirements and options for the
provision of information security and related issues.
Background
Information and its exchange via global networks is inextricably
associated with all public and private activities involving the
citizen, service providers, operators, vendors, administrations and
authorities in numerous ways for all kind of purposes. With the
increasing globalisation of the economies an agreed framework for the
protection of information either associated with intellectual property,
privacy, internal security and other legitimate reasons is needed.
While there are several conventions and recommendations, the rapid
evolution of technology and services implies the need to reflect on a
common framework which could assist countries and regions to maintain
interworking and avoid technical barriers to trade and communications
without compromising their priorities in the protection of information
assets.
Solutions for open communications between a variety of parties on a
global scale do exist. They differ in detail and convenience in usage.
However, the ability to use them depends critically on a broad
consensus on the use of one or the other option. Nationally constrained
solutions, such as DES, RSA in the USA are of little utility if they
can not be used by US business in the pursuit of their global business
interests and vice versa if others can not make use of these techniques
for their communications with US partners.
To achieve agreement and reasonably general acceptance by the users
concerned is as important as the technical performance of the solution
in question.
Tasks
Development of a Common Framework to address the following issues:
Revision of scope and approach to information security to
reflect the new conditions, challenges and requirements brought
about by globalisation (4.1.)
Verification of the existing provisions with respect to their
conformance to the Internal Market Policy of the EC implying
the removal of existing internal barriers and the avoidance of
the formation of new technical barriers due to divergent
application of IS rules, regulations and legislation (4.2.)
Definition of a common approach defining rights,
responsibilities and duties of citizens and business on the one
hand, and that of the authorities on the other hand (4.3.)
Development of a common approach defining the rights of
citizens and business users on the one hand and that of
corporations, organisations and authorities using biometric
techniques (4.4.)
Development of a generic framework for the management of open
and protected communications in a user/business oriented
environment (4.5.)
Concerted effort to address the common requirements of
business, citizens and authorities to adequately protect
non-classified information and its communication (4.6.)
Common approach to the assignment of responsibility and
liability (4.9.)
Clarification of "Info-Ethics" for the professional and
individual user in its relationship to Information Security
Clarification of responsibilities of the sector actors in
general and in their relations within each other, with
particular reference to open and distributed applications
(4.10.)
Concerted effort to address a common approach to the handling
of security and safety critical requirements (4.10.)
Development of a common approach to security evaluation of
information systems in safety-critical environments (4.11.)
Common framework for domain interworking (5.6.)
Clarification of the right to signature and the attached
authority (5.8.2.)
Common approach to the security of electronically stored
information (5.8.7.)
Proposal for a frameworks and architectures which are accepted
as well by the business users as by the national security
agencies and the service providers (5.9.1.)
Framework for the provision of trans-domain confidentiality
services . Mechanisms are needed that provide for a defined way
to pass from one domain to another. This will require
collective or multilateral agreements for interoperation
(5.9.2.)
Adoption of a confidentiality algorithm standard and
specification, and a key distribution mechanism based on an
asymmetric public key algorithm (6.1.5.)
Develop an approach to date and time stamping for time-critical
transactions and applications (6.1.8.)
Establish conditions and procedures for mutual recognition of
evaluations (6.2.2.)
Development of an agreed definition of scope and liabilities of
vendor declarations for secure solutions (6.2.3.)
8.2. Awareness, education and training
Objective
Improved awareness of the issues of information security by specific
actions and a greater emphasis in the education and training of related
professions.
Background
In the end it is the human factor which decides the level of
information security, irrespective of the technical and operational
measures one may wish to deploy. In this sense awareness and the
teaching of appropriate skills in the context of the information
professions, is an important measure to be considered. This may entail
the creation of special training schemes and curricula, but most of all
the appropriate inclusion of information security related issues in the
teaching of information professions in general. This is in many cased
essential, since information security is very closely related to the
way information is used in a given context, ie often it has to be
embedded in the application and management procedure and can not be
added on as an external procedure.
Tasks
Inclusion in the curriculum of relevant educational institutes
(eg engineering, law and business schools) the use of digital
signature (5.8.6.)
Awareness of sector actors of the potential losses due to the
absence of confidentiality services (5.9.1.)
Initiate investigation to assist those member states not
involved in the early stages of ITSEC to develop and test
procurement policies that are based on evaluated communications
products (5.11.)
8.3. Agreements
Objective
International agreements on a minimum set of features and operational
concepts as required for trusted and open service provision.
Background
While a common framework and general consensus may go a long way, there
is the need to get formal agreement on certain aspects. These may, for
example, relate to issues surrounding liability, accreditation and
certification and the fighting of organised crime..
Tasks
Development of a Common Framework to address the following issues:
4.4. Human Rights and biometrics
4.6. Management of Openness and Protection
4.7. Common concerns of commercial and national security
4.8. Security and Law enforcement on international scale
5.6. Security domains
5.8. Signature issues
5.8.2. The individual right to signature
5.8.3. Consistency of legal principles
5.10. Motivation to acquire evaluated products
5.11. Consistency of procurement practices
6.1.4. Use of names and certification of credentials
6.1.5. Key management service
6.1.6. Directory services
6.1.7. Legal services
6.1.8. Guaranteed date and time stamping
6.1.9. Negotiable document transaction
6.2.1. Perceived Requirements for trusted solutions
6.2.2. International harmonisation and mutual recognition
6.2.3. Vendor Declarations
6.2.4. Evaluation of applications
8.4. Common Practices and Codes of Conduct
Objectives
Development of Codes of Practice to
support the development and harmonisation of sectorial practices
support the development of a standardised approach to the
development of baseline controls
support the development and harmonisation of baseline controls.
Background
Codes of practice are found in many industries and disciplines. They
encapsulate the collective wisdom and experience of the practitioners
of a trade or profession or of an industry. For example codes of
practice for the building trade. To the practitioners of a trade or
profession, the need for codes of practice is self evident.
Codes of practice are not always obvious because they are often given
other names. In some situations they may be called standards manuals in
others requirements specifications. The property that sets them apart
and makes them recognisable as codes of practice is the encapsulation
of collective wisdom. The collective wisdom represents the means by
which all parties to a transaction are protected from harm. In legal or
business management terms this may be called a "standard of due care."
Any professional discipline needs to have a vehicle to encapsulate the
collective wisdom of its practitioners. They help to ensure consistency
across the wide spectrum of practitioners. That has to be true of
something as important as information processing.
We have mentioned elsewhere the move towards empowerment and
distributed systems. Empowerment means that the person responsible for
an operating unit of an enterprise is free to obtain its services and
resources anywhere. Where once information processing was done
in-house, it is now just as likely to be out-sourced.
When information was once processed centrally the computer centre was
well protected, both physically and logically. Indeed the protection of
computer centres was the trigger for the development of corporate
information security programmes. With information processing spread
throughout the enterprise, the need for a central site vanishes. With
it goes the ease of justifying the costs of high levels of security.
These two factors taken together mean that responsibility for
information security is fragmented and put in the hands of people who
have other responsibilities. Their mind set does not contain the same
awareness of the need for security. Neither do they understand the
interdependence of security and control measures.
The growth of legal, regulatory and contractual requirements for
security create the need for a generally accepted set of controls and
security measures. Words like due diligence and compliance with best
practice can be satisfied by compliance with codes of practice. They
provide the baseline needed for any comparison of actual with best
practice.
Looking to the future we can see that information processing will
become a basic skill for any skilled worker or manager. Where
industries have their own codes of practice governing the way they
operate, information security should become a sub-set.
Codes of practice must be formulated in such a way that audits can be
performed to establish compliance.
Tasks
Development of:
Review of current design practices and codes of conduct with
the aim of generating a community wide standard for the safety
of systems (4.5.)
Codes of practice for the handling of non-classified
information, as opposed to classified information. This should
include rules for labelling of information. (4.7.)
Guidelines to establish "cost of security" (4.9.)
Assignment of responsibility and liability in global services (4.9.)
Sector-specific codes of practice and base line controls, eg for:
o finance
o insurance
o trade
o medical
o telecommunications
o electronic service providers (including rules for
inter-operation)
o administrations
(5.4.)
Guidelines for the selection of security methodologies (5.5.)
Code of Practice for data labelling (5.7.)
Model contract clauses for contracts between service providers,
TTPs and users, especially confidentiality service providers
and services operating across national boundaries (5.9.1.,
5.9.2., 5.9.3)
Good practices for the operation of TTPs, specifically
regarding availability, confidentiality, response times, rules
of disclosure (6.1.2.)
International guidelines for the accreditation and audit of
TTPs (6.1.3.)
International guidelines for
o naming and certification
o key management
o directory services
o legal services
o time stamping
o negotiable document transactions
(6.1.4., to 6.1.9.)
Rules for vendor declarations, as to the security of their
products (6.2.3.)
User and supplier obligations to report incidents (6.2.8.)
Guidelines for the monitoring of compliance to codes of
practice (7.4.)
Rules for loss assessment (7.5.)
8.5. Specifications
Objectives
To develop specifications for the application of security, in order to
ensure interworking, interoperation and mutual recognition.
Background
Functional specifications for products or services are documents that
are to be used as parts of purchase specifications. They specify the
functions of a solution and the required performance characteristics.
Implementation aspects are only dealt with if they are particularly
important for the fulfilment of a specific function. Specifications
call up standards and profiles, as far as available. Options in the
standards are resolved in specifications.
Common specifications for methodologies, eg evaluation, serve as a
basis for mutual recognition.
Tasks
Development of:
Specifications for solutions to confidentiality and integrity
services (4.8.)
Methodologies for the assessment of threats, vulnerabilities,
and hazards for safety critical systems (4.11.)
Development of methods of testing that enable standards of
reliability to be ensured, including tests to destruction where
appropriate (4.12.)
Definition of requirements for fail-safe system architectures
and implementations (4.12.)
Specifications of security evaluations for safety critical
environments
Taxonomy of user requirements for enterprises, individuals and
citizens (5.1., 5.2.)
Identify and group access control scenarios, to determine
levels of commonality (5.8.1.)
Identify techniques, products, specifications and standards
addressing access control, and associate them with the
identified scenarios (5.8.1.)
Identify parameters common to most or all of the above
techniques, products, specifications and standards and
investigate the feasibility of establishing common formats for
them (5.8.1.)
Identify the key features for coherence in the supporting
infrastructure (5.8.1.)
Define a limited number of basic access control mechanisms for
pilot implementation (5.8.1.)
Specification of a signature scheme (5.8.4.)
Specification of application oriented integration of the
signature scheme (5.8.4.)
Specification of an Application Program Interface (API) for the
signature scheme (5.8.4.)
Specification of the use of multiple signatures (5.8.4.)
Specification of key usage for integrity and confidentiality
(5.8.5.)
Specification for the practical use of digital signatures as a
full equivalent to manual signatures (5.8.6.)
Specification for the handling of electronically stored
information (5.8.7.)
Specification of an approach to confidentiality (5.9.1.)
Assurance criteria for confidentiality service providers and
operators (5.9.2.)
Specification for the inter-operability of confidentiality
services (5.9.3.)
Specification for date and time stamping (6.1.8.)
8.6. Standards
Objective
Development of standards for IS.
Background
European security standards developed over the next decade will have a
decisive influence on the technological structure of the entire
European market and will change the conditions of trade in export
markets and national markets.
The standards making infrastructure for the development of IT and
telecommunication standards has become increasingly complex. The number
of groups, the range of work items and the overall process at
different levels of international, regional and national
standardisation is a complex maze. Security standardisation is no
exception to this situation. In general there is a reoccurring problem
which is that of coordination between groups developing standards
similar in nature and scope. Such coordination is necessary to avoid
duplication of work and the unnecessary waste of resource, and to
ensure that the standards that are developed are consistent and they
form a coherent set.
At the European level the establishment of the Advisory Expert Group
ITAEGV has provided an ideal mechanism for the coordination of security
standards work within Europe. In addition, ITAEGV is in the process of
developing a European Memorandum, M-IT-06, which is a Taxonomy and
Directory of European Standardisation Requirements for Information
Systems Security based on market driven requirements. This memorandum
also contains a future work programme for security standardisation.
Hence Europe is now demonstrating through this action a clearly defined
strategic stance on security standardisation. One that is demonstrating
effective coordination, leadership and a market driven focused approach
to standardisation.
Traditionally the principal contributors to standards making have been
suppliers, designers and professionals. The end user of products and
services has only been peripherally interested or involved. The end
user has been concerned that standards have been used in relation to
the products he buys but not greatly interested in what they are.
There is a need for a more effective mechanism and framework through
which user interest is able to collectively express their requirements
and priorities so that they can contribute to the standardisation
process in a way which will balance the very strong interest of the
supply industry.
This mechanism should be used to provide greater user input into the
development of the European Memorandum, M-IT-06 (The Taxonomy and
Directory of European Standardisation Requirements for Information
Systems Security). This memorandum also contains a future work
programme for security standardisation.
The long-term benefits of security standardisation requires investment
by companies and users and as such they must be prepared to organise
themselves more effectively to participate in the standards making
process.
Tasks
Define a solution to the specification, standardisation and
licensing problem of cryptographic algorithms(5.8.4.).
Develop standards for:
identify and group access control scenarios, to determine
levels of commonality (5.8.1.)
identify techniques, products, specifications and standards
addressing access control, and associate them with the
identified scenarios (5.8.1.)
identify parameters common to most or all of the above
techniques, products, specifications and standards and
investigate the feasibility of establishing common formats for
them (5.8.1.)
identify the key features for coherence in the supporting
infrastructure (5.8.1.)
define a limited number of basic access control mechanisms for
pilot implementation (5.8.1.)
Digital signatures, including for application oriented
integration and a general application programming interface
(API) for integration of security services which could be
easily integrated into any (almost) application (5.8.4.)
Profile - or functional - standards to support CCITT X.509 (5.8.5.)
Services and service provision. Ensure that the confidentiality
services are compatible with existing communication standards
and practices where possible (5.9.1.)
Minimum requirements to ensure interoperability of procedure
and operating practices for confidentiality services (5.9.3.)
Evaluation criteria and methods (6.2.2.).
8.7. Products and Services
Objective
In order to facilitate a harmonious development of the provision of
security of information systems in the Community for the protection of
the public and of business interests, it will be necessary to develop a
consistent approach as to its provision of security. Where independent
organisations will have to be mandated, their functions and conditions
will need to be defined and agreed and, where required, embedded into
the regulatory framework. The objective would be to come to a clearly
defined and agreed sharing of responsibilities between the different
actors on a Community level as a prerequisite for mutual recognition.
Background
At present, the provision of security of information systems is well
organised only for specific areas and limited to addressing their
specific needs. The organisation on a European level is mostly
informal, and mutual recognition of verification and certification is
not yet established outside closed groups. With the growing importance
of the security of information systems, the need for defining a
consistent approach to the provision of security for information
systems in Europe and internationally is becoming urgent. The most
urgent needs identified relate to digital signatures and
confidentiality services.
Tasks
Verification of the existing provisions with respect to their
conformance to the Internal Market Policy of the EC implying
the removal of existing internal barriers and the avoidance of
the formation of new technical barriers due to divergent
application of IS rules, regulations and legislation (4.2.)
Provision of IS to business and the public of solutions freely
applicable throughout the Community and on a preferential basis
at the international level (4.2.)
An effective, internationally agreed, economic, ethical and
usable solution to meet business, administration and personal
needs including mechanisms for authorised interception and
reporting of incidents and crimes adjusted to the conditions of
the Internal Market, and to include the necessary equipment and
software, but also an infrastructure of Trusted Third Parties.
This will discourage "home-made" or other solutions (4.8.)
Recommendation for the implementation for a public digital
signature scheme for use by business, administrations and the
general public (5.8.3.)
Development of a general application programming interface
(API) for integration of security services which could be
easily integrated into most application (This could as well
include codes which explain the intention of the applied
signature.) (5.8.4.)
Development of transaction-oriented multiple signature schemes
(5.8.4.)
Framework for the provision of trans-domain confidentiality
services (Mechanisms are needed that provide for a defined way
to pass from one domain to another. This will require
collective or multilateral agreements for interoperation.)
(5.9.2.)
Demonstration of trans-European confidentiality services using
a suitable application , eg the realisation of administrative
telematics applications (5.9.3.)
Trial service evaluations for existing telecommunication
services (6.2.5.)
Incident reporting system for Certification Bodies (6.2.8.)
8.8. Technology
Objective
Systematic investigation and development of the technology to permit
economically viable and operationally satisfactory solutions to a range
of present and future requirements for the security of information
systems.
Background
Work on security of information systems would need to address
development and implementation strategies, technologies, and
integration and verification.
The strategic R&D work would have to cover conceptual models for secure
systems (secure against compromise, unauthorised modifications and
denial of service), functional requirements models, risk models and
architectures for security.
Verification and validation of the security of the technical system and
its applicability would be investigated through integration and
verification projects.
In addition to the consolidation and development of security
technology, a number of accompanying measures are required concerned
with the creation, maintenance and consistent application of standards,
and the validation and certification of IT and telecommunication
products with respect to their security properties, including
validation and certification of methods to design and implement
systems.
The fourth RD&T Community Framework Programme might be one of the tools
to foster co-operative projects at precompetitive and prenormative
levels.
Tasks
Demonstration, through pilot projects, that digital signatures
can be used as equivalent to hand-written signatures (5.8.6.)
Development of techniques for the establishment, handling and
recording of Electronic Negotiable Documents (6.1.9.)
Adapt to technological change:
Wide bandwidth telecommunications.
Bandwidth will become a commodity on telecommunication systems.
The added value in using it comes from the quality of service
provided. One aspect of such quality is that of security. To
provide security on wide band public switched networks,
investment is needed that is focused on those aspects of
security that are required by a) the telecoms service provider
for his own purposes and b) the end user to support his
application. Community wide and international specifications on
security in ATM, SDH and associated signalling structures will
be necessary.
Multi media applications and communications
Multi media applications will integrate all known
representations of information into files, documents, messages
and displays. Representations such as voice, audio, still
image, text, video and graphics will become interchangeably
available from a range of equipments that users interact with,
including mobile telephones, personal computers, television
sets and personal communicators. All aspects of security must
be incorporated for potential implementation an all of these
systems in order that a user may implement a level of security
service appropriate to the application and the environment.
A key issue is to maintain the "veracity" of the information
transmitted. Veracity is the feature of a piece of information
(eg a video sequence) to be true. Veracity is a wider concept
than integrity which is only concerned with the protection of
information during transmission and storage.
Another issue is concerned with the protection of information
through copyright. Without suitable technical means to
safeguard the interests of the information owner, the evolution
towards the information society will be seriously hampered.
Global teleconferencing
Teleconferencing is becoming the substitute for travel. In
order to make it really cost effective all the above
applications, multimedia, mobility, access to mass data and if
necessary access to one or more parties who are travelling in
private vehicles need to be incorporated within the
teleconferencing application. True geographic independence will
come only if such an application works on a global scale and
provides all the security services that are needed by the
community of users. Such an application will demand the
integration of the security services provided for each of the
sub-applications alone. Specifications to allow such
integration should be defined and the technology to provide the
security functionality developed.
Mobile services for applications.
Mobility provides the end user with geographic independence.
The price paid for this independence is infrastrucural
information and process that allows his demands on the
infrastrucural services to be met wherever he is. Such
information and process has to, by design, have security
features incorporated. At the community level extensions of the
GSM concepts to allow all applications to function securely in
the way telephony does on GSM will require significant
technological investment.
Mass data storage and communications in portable systems.
Access to huge amounts of data from a mobile terminal will be
essential. Such data needs to be communicated securely,
whether it be held in volatile memory, in the form of
mechanically read ROM or transmitted over a network.
Specifications for securing such data need to be developed as
do the necessary bulk encryption services for huge data volumes.
The technology components of such services will be a major
challenge and need to be defined now.
Robotically controlled transportation mechanisms.
Human involvement in controlling mass transportation mechanisms
is already decreasing as technology becomes more reliable. If
human involvement for individual transportation is to shrink
in the same way then mass production of cost effective safety
assured technologies will be essential. Collision avoidance,
guidance and navigation systems will be essential parts of
every domestic vehicle and the requirements for the information
safety and security critical elements of such systems need to
be defined, standardised and developed .
8.9. Regulation and Legislation
Objective
Adjustment of national regulations and legislation to permit seamless
interworking of trusted services.
Background
The provision of information security is seen to related in some areas
closely to public order and defence issues. The related national
regulations and legislations vary considerably. In order to avoid the
creation of technical barriers to trade and communications outside the
domains of internal order and national security, adjustments of
legislation and regulations may be required in some countries.
Tasks
Development of a legal framework to address the following issues:
Verification of the existing provisions with respect to their
conformance to the Internal Market Policy of the EC implying
the removal of existing internal barriers and the avoidance of
the formation of new technical barriers due to divergent
application of IS rules, regulations and legislation (4.2.)
Clarification of the ownership and privacy issues surrounding
biometric data (4.4.)
Study the legal environment within which vendors and users of
safety critical systems work, with the objective of harmonising
that environment (4.5.)
Need to provide business and the general public with an
effective, economic and usable security solution to meet their
needs including a mechanism for authorised interception (4.8.)
Establishment of a network of Trusted Third Parties to provide
user support and manage directories (4.8.)
Clarification of responsibilities of the sector actors in
general and in their relations within each other, with
particular reference to open and distributed applications
(4.10.)
Agreement on management, TTPs, accreditation, auditing and
relations with law enforcement agencies (5.6.)
Clarification of the right to signature and the attached
authority (5.8.3.)
The legal functions of signatures need to be agreed
EC-wide/internationally. Once this is achieved, it is possible
to determine to what extent a code-of- practice will suffice.
One issue to be addressed is the intended use of the digital
signature, and the legal responsibility and liability of the
signing entity with regard to the signed information (5.8.3.)
Clarification of the conditions of acceptance of the authority
of an electronic signature, eg for legally binding purposes, ie
as substitute for hand-written original signatures (5.8.3.)
Solution to the licensing problem of cryptographic algorithms
(5.8.4.)
Definition of minimum requirements to ensure interoperability,
including standards, specifications, rules of procedure and
operating practices for autonomous confidentiality services
(5.9.3.)
Alignment of national procurement policies concerning evaluated
products (5.11.)
Definition of the classes of information used and the types of
damage that could be caused to the information owners (5.12.)
Definition of the rights and duties of information ownership
(5.12.)
Development of guidance for owners of information as to the
actions that they would have been expected to take to protect
their assets and avoid negligence charges (5.12.)
Development of the methods and procedures that should be used
to establish information value (5.12.)
Introduce or harmonise legislation to provide an appropriate
framework for arbitration, supervision and litigation (6.1.2.)
Adapt applicable legislation or regulations to provide an
appropriate legal framework for use throughout the Community
and in the relations with third countries (6.1.3.)
Harmonisation of legislation on the legal status of evidence
generated by any TTPs and especially on the intra- and extra-
community recognition thereof. This probably implies the
settlement of the accreditation question.
Promotion of community-level information technology litigation
services modelled after existing international bodies such as
the International Chamber of Commerce (6.1.7.)
Framework for international law relating to IS (7.1.)
Development of international framework for private law,
especially liability (7.2.)
8.10. Accreditation
8.10.1. Accreditation of Services
Objective
Evaluation of communication services.
Background
Common criteria for security evaluation are mainly focused on IT
products and IT systems. However, there is a perceived need for
criteria to support the evaluation of communication services. This
later criteria may be considered as an extension to the current
criteria or there may be a need to develop separate criteria.
The evaluation of a service and its subsequent accreditation will be a
critical requirement in many user applications, in particular those
that need to use trans-European communication services. The
consistency, completeness and effectiveness of the security
enhancements of communication services needs to be checked for an
overall fitness for purpose. Hence there is a need for a framework for
accreditation of communications services.
Tasks
Establishment of a formal accreditation scheme for secure
communication services (6.2.5.)
Development of accreditation guidelines for the
telecommunication sector (6.2.5.)
Accreditation guidelines for the trusted network management
(6.2.6.)
8.10.2. Accreditation of TTPs
Objective
Procedures for the accreditation and audit of TTPs.
Background
TTPs will need to interwork and communicate internationally to provide
a service infrastructure to support a range of security services such
as digital signature and confidentiality. TTPs will thus need to
process, store and distribute a range of security-related information
for the use and management of such services. This implies the need for
a set of harmonised procedures for the accreditation and audit of TTPs
in order to ensure mutual trust by the public in TTPs and the services
they provide.
Tasks
Development of international guidelines for the accreditation
and audit of TTPs (6.1.3.)
Adaptation of applicable legislation or regulations to provide
an appropriate legal framework for use throughout the Community
and in the relations with third countries (6.1.3.)
Annex: Recalling the Action Lines from the Council mandate
Action line I - Development of a strategic framework for the security
of information systems
Issue
Security of information systems is recognized as a pervasive quality
necessary in modern society. Electronic information services need a
secure telecommunications infrastructure, secure hard- and software as
well as secure usage and management. An overall strategy, considering
all aspects of security of information systems, needs to be
established, avoiding a fragmented approach. Any strategy for the
security of information processed in an electronic form must reflect
the wish of any society to operate effectively yet protect itself in a
rapidly changing world.
Objective
A strategically oriented framework has to be established to reconcile
social, economic and political objectives with technical, operational
and legislative options for the Community in an international context.
The sensitive balance between different concerns, objectives and
constraints are to be found by sector actors working together in the
development of a common perception and agreed strategy framework. These
are the are the prerequisites for reconciling interests and needs both
in policy-making and in industrial developments.
Status and trends
The situation is characterized by growing awareness of the need to act.
However, in the absence of an initiative to coordinate efforts, it
seems very likely that dispersed efforts various sectors will create a
situation which will de facto be contradictory, creating progressively
more serious legal, social and economic problems.
Requirements, options and priorities
Such a shared framework would need to address and situate risk analysis
and risk management concerning the vulnerability of information and
related services, the alignment of laws and regulations associated with
computer/telecommunications abuse and misuse, administrative
infrastructures including security policies, and how these may be
effectively implemented by various industries/disciplines, and social
and privacy concerns (e.g. the application of identification,
authentication, non-repudiation and possibly authorization schemes in a
democratic environment ).
Clear guidance is to be provided for the development of physical and
logical architectures for secure distributed information services,
standards, guidelines and definitions for assured security products and
services, pilots and prototypes to establish the viability of various
administrative structures, architectures and standards related to the
needs of specific sectors.
Security awareness must be created in order to influence the attitude
of the users towards an increased concern about security in information
technology (IT).
Action line II - Identification of user and service provider
requirements for the security of information systems
Issues
Security of information systems is the inherent prerequisite for the
integrity and trustworthiness of business applications, intellectual
property and confidentiality. This leads inevitably to a difficult
balance and sometimes choices, between a commitment to free trade and a
commitment to securing privacy and intellectual property. These choices
and compromises need to be based on a full appreciation of requirements
and the impact of possible options for the security of information
systems to respond to them.
User requirements imply the security functionalities of information
systems interdependent with technological, operational and regulatory
aspects. Therefore, a systematic investigation of security requirements
for information systems forms an essential part of the development of
appropriate and effective measures.
Objective
Establishing the nature and characteristics of requirements of users
and service providers and their relation to security measures of
information systems.
Status and trends
Hitherto, no concerted effort has been undertaken to identify the
rapidly evolving and changing requirements of the major actors for the
security of information systems. Member States of the Community have
identified the requirements for harmonization of national activities
(especially of the "IT security evaluation criteria"). Uniform
evaluation criteria and rules for mutual recognition of evaluation
certification are of major importance.
Requirements, options and priorities
As a basis for a consistent and transparent treatment of the justified
needs of the sector actors, it is considered necessary to develop an
agreed classification of user requirements and its relation to the
provision of security in information systems.
It is also considered important to identify requirements for
legislation, regulations and codes of practice in the light of an
assessment of trends in service characteristics and technology, to
identify alternative strategies for meeting the objectives by
administrative, service, operational and technical provisions, and to
assess the effectiveness, user friendliness and costs of alternative
security options and strategies for information systems for users,
service providers and operators.
Action Line III - Solutions for immediate and interim needs of users,
suppliers and service providers
Issues
At present it is possible to protect adequately computers from
unauthorized access from the outside world by "isolation", i.e. by
supplying conventional organizational and physical measures. This
applies also to electronic communications within closed user group
operating on a dedicated network. The situation is very different if
the information is shared between user groups or exchanged via a
public, or generally accessible, network. Neither the technology,
terminals and services nor the related standards and procedures are
generally available to provide comparable security for information
systems in these cases.
Objectives
The objective has to be to provide, at short notice, solutions which
can respond to the most urgent needs of users, service providers and
manufacturers. This includes the use of common IT-security evaluation
criteria. These should be conceived as open towards future requirements
and solutions.
Status and trends
Some user groups have developed techniques and procedures for their
specific use responding, in particular, to the need for authentication,
integrity and non-repudiation. In general, magnetic cards or smart
cards are being used. Some are using more or less sophisticated
cryptographic techniques. Often this implied the definition of
user-group specific "authorities". However, it is difficult to
generalise these techniques and methods to meet the needs of an open
environment.
ISO is working on OSI Information System Security (ISO DIS 7498-2) and
CCITT in the context of X400. It is also possible to insert security
segments into the messages. Authentication, integrity and
non-repudiation are being addressed as part of the messages (EDIFACT)
as well as part of the X400 MHS.
At present, the Electronic Data Interchange (EDI) legal framework is
still at the stage of conception. The International Chamber of Commerce
has published uniform rules of conduct for the exchange of commercial
data via telecommunications networks.
Several countries (e.g. Germany, France, the United Kingdom and the
United States) have developed, or are developing, criteria to evaluate
the trustworthiness of IT and telecommunication products and systems
and the corresponding procedures for conducting evaluations. These
criteria have been coordinated with the national manufacturers and will
lead to an increasing number of reliable products and systems starting
with simple products. The establishment of national organizations which
will conduct evaluations and offer certificates will support this
trend.
Confidentiality provision is considered by most users as less
immediately important. In the future, however, this situation is likely
to change as advanced communication services and, in particular, mobile
services will have become all-pervasive.
Requirements, options and priorities
It is essential to develop as soon as possible the procedures,
standards, products and tools suited to assure security both in
information systems as such (computers, peripherals) and in public
communications networks. A high priority should be given to
authentication, integrity and non-repudiation. Pilot projects should be
carried out to establish the validity of the proposed solutions.
Solutions to priority needs on EDI are looked at in the TEDIS programme
within the more general content of this action plan.
Action line IV - Development of specifications, standardization,
evaluation and certification in respect of the security of information
systems
Issues
Requirements for the security of information systems are pervasive and
as such common specifications and standards are crucial. The absence of
agreed standards and specifications for IT security may present a major
barrier to the advance of information-based processes and services
throughout the economy and society. Actions are also required to
accelerate the development and use of technology and standards in
several related communication and computer network areas that are of
critical importance to users, industry and administrations.
Objective
Efforts are required to provide a means of supporting and performing
specific security functions in the general areas of OSI, ONP, ISDN/IBC
and network management. Inherently related to standardization and
specification are the techniques and approaches required for
verification, including certification leading to mutual recognition.
Where possible, internationally agreed solutions are to be supported.
The development and use of computer systems with security functions
should also be encouraged.
Status and trends
The United States, in particular, has taken major initiatives to
address the security of information systems. In Europe the subject is
treated in the context of IT and telecommunications standardization in
the context of ETSI and CEN/CENELEC in preparation of CCITT and ISO
work in the field.
In view of growing concern, the work in the United States is rapidly
intensifying and both vendors and service providers are increasing
their efforts in this area In Europe, France, Germany and the United
Kingdom have independently started similar activities, but a common
effort corresponding to the United States is evolving only slowly.
Requirements, options and priorities
In the security of information systems there is inherently a very close
relationship between regulatory, operational, administrative and
technical aspects. Regulations need to be reflected in standards, and
provisions for the security of information systems need to comply in a
verifiable manner to the standards and regulations. In several aspects,
regulations require specifications which go beyond the conventional
scope of standardization, i.e. include codes of practice. Requirements
for standards and codes of practice are present in all areas of
security of information systems, and a distinction has to be made
between the protection requirements which correspond to the security
objectives and some of the technical requirements which can be
entrusted to the competent European standards bodies (CEN/CENELEC/
ETSI).
Specifications and standards must cover the subjects of security
services of information systems (personal and enterprise
authentication, non-repudiation protocols, legally acceptable
electronic proof, authorisation control), their communication services
(image communication privacy, mobile communications voice and data
privacy, data and image data-base protection, integrated services
security), their communication and security management (public/private
key system for open network operation, network management protection,
service provider protection) and their certification (assurance
criteria and levels, security assurance procedures for secure
information systems).
Action line V - Technological and operational developments in the
security of information systems
Issues
Systematic investigation and development of the technology to permit
economically viable and operationally satisfactory solutions to a range
of present and future requirements for the security of information
systems is a prerequisite for the development of the services market
and the competitiveness of the European economy as a whole.
Any technological developments in the security of information systems
will have to include both the aspects of computer security and security
of communications as most present-day systems are distributed systems,
and access to such systems is through communications services.
Objective
Systematic investigation and development of the technology to permit
economically viable and operationally satisfactory solutions to a range
of present and future requirements for the security of information
systems.
Requirements, options and priorities
Work on security of information systems would need to address
development and implementation strategies, technologies, and
integration and verification.
The strategic R&D work would have to cover conceptual models for secure
systems (secure against compromise, unauthorized modifications and
denial of service), functional requirements models, risk models and
architectures for security.
The technology-oriented R&D work would have to include user and message
authentication (e.g. through voice-analysis and electronic signatures),
technical interfaces and protocols for encryption, access control
mechanisms and implementation methods for provable secure systems.
Verification and validation of the security of the technical system and
its applicability would be investigated through integration and
verification projects.
In addition to the consolidation and development of security
technology, a number of accompanying measures are required concerned
with the creation, maintenance and consistent application of standards,
and the validation and certification of IT and telecommunication
products with respect to their security properties, including
validation and certification of methods to design and implement
systems.
The third RD&T Community Framework Programme might be used to foster
cooperative projects at precompetitive and prenormative levels.
Action line VI - Provision of security of information systems
Issues
Depending on the exact nature of the security features of information
systems, the required functions will need to be incorporated at
different parts of the information system including
terminals/computers, services, network management to cryptographic
devices, smart cards, public and private keys, etc. Some of these can
be expected to be embedded in the hardware or software provided by
vendors, while others may be part of distributed systems (e.g. network
management), in the possession of the individual user (e.g. smart
cards) or provided from a specialised organization (e. g.
public/private keys).
Most of the security products and services can be expected to be
provided by vendors, service providers or operators. For specific
functions, e.g. the provision of public/private keys, auditing
authorization, there may be the need to identify and mandate
appropriate organizations.
The same applies for certification, evaluation and verification of
quality of service which are functions which need to be addressed by
organizations independent of the interests of vendors, service
providers or operators. These organizations could be private,
governmental or licensed by government to perform delegated functions.
Objective
In order to facilitate a harmonious development of the provision of
security of information systems in the Community for the protection of
the public and of business interests, it will be necessary to develop a
consistent approach as to its provision of security. Where independent
organizations will have to be mandated, their functions and conditions
will need to be defined and agreed and, where required, embedded into
the regulatory framework. The objective would be to come to a clearly
defined and agreed sharing of responsibilities between the different
actors on a Community level as a prerequisite for mutual recognition.
Status and trends
At present, the provision of security of information systems is well
organized only for specific areas and limited to addressing their
specific needs. The organization on a European level is mostly
informal, and mutual recognition of verification and certification is
not yet established outside closed groups. With the growing importance
of the security of information systems, the need for defining a
consistent approach to the provision of security for information
systems in Europe and internationally is becoming urgent.
Requirements, options and priorities
Because of the number of different actors concerned and the close
relations to regulatory and legislative questions, it is particularly
important to pre-agree on the principles which should govern the
provision of the security of information systems.
In developing a consistent approach to this question, one will need to
address the aspects of identification and specification of functions
requiring, by their very nature, the availability of some independent
organizations (or interworking organizations). This could include
functions such as the administration of a public/private key system.
In addition, it is required to identify and specify, at an early stage,
the functions which in the public interest need to be entrusted to
independent organizations (or interworking organizations). This could,
for example, include auditing, quality assurance, verification,
certification and similar functions.
OJ No L 123, 8.5.1992, p.19
SOG-IS Opinion of 17.11.92 on objectives, scope and approach
Information Security is concerned with the protection of
information stored, processed or transmitted in electronic
form, against deliberate or accidental threats.
Information is acquired, communicated, processed and stored by
Information Services. Electronic Information services need a
secure telecommunication infrastructure, secure terminals
(including processors and data bases) as well as secure usage.
The management of the service provision itself must also and
foremost be secure. Therefore the approach to information
security starts form an analysis of the needs of an individual
or organisation for Information Services. 92/242/EEC
This danger has already been identified and OECD Member
Countries have, in the context of Protection of Privacy and
Transborder Data Flow of Personal Data, recognised the risk of
new technical barriers forming. They have therefore agreed to
endeavour to remove and to avoid to create in the name of
privacy protection, unjustified obstacles to transborder flows
of personal data, co-operate in the implementation of the
Guidelines and agree as soon as possible on specific procedures
of consultation and co-operation for the application of these
Guidelines.
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
