Development and Implementation of Security Standards John P. Hopkinson Payoff

82-03-10 Development and Implementation of Security Standards

John P. Hopkinson

Payoff

This article describes the groups involved in the process of developing standards for

information security. The method by which an international security standard is produced is identified. In addition, the article includes a discussion on how standards are used, a

review of recently published security standards, and current standards development programs. Problems with the current standardization process are identified together with potential resolutions.

Introduction

In today's commercial environment the need to communicate and the pressures to exchange information quickly are increasing.Electronic Data Interchange is a significant force in this direction.(In fact, Electronic data interchange is no longer seen as conferring competitive advantage; it is the competitive norm.) It is becoming essential for organizations to possess such technical capabilities if they are to remain competitive. For two or more computers to exchange information, they must either communicate in the same way or they must be able to translate data. To keep the number of options for information exchange and processing within reasonable bounds, some commonly agreed formats (known as standards) are helpful. These standards are important and are becoming more commonplace in information technology, and they can cover many areas. This article addresses standards for

information security. It includes:

· An introduction to the different types of standards development groups.

· An insight into how standards are produced.

· A review of the major areas of standards development.

· Suggested improvements to the standards development process.

The suggested improvements stem from discussions with the users of standards.

Although some of the statements and assumptions may be applicable to other standards areas, they are primarily directed towards security standards.

Standards Development Groups

Standards development groups can be divided into the following types:

· International.

· Regional.

· National.

Each of these groups has a distinct level of involvement in the IS discipline. These groups are examined in the following sections.

Previous screen

International Standards Group

The first group of standards-writing bodies identified is the international one. This group consists primarily of these three organizations:

· The International Organization for Standardization(ISO).

· The International Electrotechnical Commission (IEC).

· The International Telecommunications Union (ITU).(previously called The International Telegraph & Telephone Consultative Committee [CCITT]).

ISO and ITU have the greatest level of activity in the information security area, and it is important to note that a great deal of cooperation exists between them. Activities are

currently under way to enhance and expand this cooperation and make it more efficient.

International Standards Organization and IEC have been working together for many years in different, but related areas.

An example of ISO and IEC cooperative activities is the Joint Technical Committee 1 (JTC 1). Within International Standards Organization/International Electrotechnical Commission JTC 1, Subcommittee 27is responsible for the development of security techniques. Subcommittee 27 consists of three working groups:

· Working Group 1, responsible for requirements, security services, and guidelines.

· Working Group 2, responsible for both cryptographic and noncryptographic techniques.

· Working Group 3, responsible for evaluation criteria.

It should be pointed out that, although ISO develops standards for the use of cryptography, it does not standardize cryptographic algorithms.

The other group within JTC 1 that is most heavily involved in security is Subcommittee 21. This group focuses on Open Systems Interconnection, and it concentrates on the modeling and framework aspects of security. Several other committees within ISO have some involvement with security (e.g., Subcommittees 6, 17, 18, 30, and Technical Committee 68), though to a much lesser extent then Subcommittee 27, which is entirely security oriented, and Subcommittee 21. Although it may appear that development of security standards is spread over many different groups, very close liaison exists between all the subcommittees and working groups. In addition, some moves are taking place to concentrate more security activities in Subcommittee 27.

Regional Standards Group

There is currently only one regional standards group, the European Commission. This body is developing standards for all countries that are part of the European Economic Community. The ultimate goal of this group is to develop a single set of standards for all Europe. This reduces incompatibilities or at least ensures interworking. The European Commission is putting considerable effort into the development of standards and investing heavily in the development of security standards.

Although only one regional standards-setting body exists at this time, it is reasonable to expect that others will appear. The development of multicountry free trade blocks can be expected to stimulate the growth in this type of standards- setting body. It may be that the development of a North American free-trade area will lead to the formation of a regional standards body.

Previous screen

National Standards Group

The majority of nations have one or more standards-writing bodies. Within the national standards group, there tend to be two subgroups, one for the military and national security segments of the government, and one for the remainder of the government and the

commercial sector. The differences between the two groups tend to be of degree and focus or direction, rather than fundamental differences of principle.

An additional area that should be mentioned is sectorial standards groups. In the national category there are many sectorial standards groups (e.g., banking and medical sector groups). In addition, many sectorial groups have international counterparts, and many are part of other organizations (e.g., the international community Technical

Committee 68, mentioned previously, deals with banking standards; Technical Committee 68 is also part of International Standards Organization/International Electrotechnical Commission).

Within different countries or communities, standards are used in different ways. In some cases, standards are given the force of law and must be complied with. In other areas, standards may be enforced by regulatory authorities with penalties set for noncompliance. And in other areas, standards are advisory and may be used if desired;

although there may be encouragement to use standards, nonuse does not incur penalty.

These differences have an impact on the way in which standards are perceived within the different communities and the level of effort and involvement put into the development of standards.

Standards Development

International standards are usually developed by a process of consensus. (This is the case with International Standards Organization standards particularly.) The majority of parties involved in the development of the standard must agree on the content of the standard and the way in which it is written. This process affects all stages of the development of a standard. This technique may slow the process; however, the result is(hopefully)

acceptable to all concerned. In addition, it ensures that no one group influences the standard unduly, thus gaining commercial advantage.

Another result of this process is that in many cases there are options available within the standard; two products may comply with the standard and yet not be completely

compatible. Although this may be seen as a disadvantage of the standard, it is a natural consequence of the consensus process. To do otherwise would cause some groups to ignore the standards, thus defeating the whole standards-setting process. The standards provide a framework and a metric for obtaining interoperability. The process is by no means ideal; however, until one that is acceptable to all is developed, it is the only available process. In addition, standards groups often try to adapt standards that already exist to their own uses. There can be many sources of input. The initial input may come from such sources as another standards-writing body, defacto standards, commercial product, or in some cases research (although the latter case is unusual).

The experts who develop standards, for the most part, do so in their own time and through the auspices of their employers. They are not employed by the standards-writing bodies. The level of support within the community has a dramatic bearing on the number of contributing experts and their level of involvement. The majority of experts are experts in their particular technical field, not in writing standards. In addition, the writing ability of the experts may not be the foremost. Nonetheless, this process ensures that the individuals developing the standards are actively involved in the field, have practical and current experience, and are in tune with the future directions of the area. It also encourages greater participation.

Previous screen

Other Standards Groups

During the last few years, several other groups have emerged that claim to be developing standards. These groups include commercial vendors or vendor groups, and user groups.

The essential differences between these groups and the formal standards organizations are the following:

· They are not formally constituted.

· They are not open and they lack formal accrediting authorities.

· Their standards are not generally produced by consensus.

· They lack the formal procedures to verify a consensus position.

· They tend to serve a narrower community or interest.

· The results produced tend to be narrower in focus.

· The results tend to be difficult to expand or to apply to broader areas.

Although the international standards groups do sometimes make use of the products of these noaccredited groups as a basis for the development of international standards, the standards frequently require considerable rework and modification, and the end result usually bears little resemblance to the original.

In general International Standards Organization tends to avoid sectorial issues (with such obvious exceptions as banking), and it produces standards for the general community.

This is often not the case with the standards produced by other groups. This gives rise to considerable concerns particularly within the international standards community, because one of the key aims is to reduce fragmentation and barriers to linking systems together. The international community is driving towards truly open systems. Although some of these other groups may have open systems in mind, their results are often sectorial in nature and run counter to this direction.

Use of Standards

Standards are written with many different users in mind. However, they are primarily written for the use of the implementor of the standard. The implementation group could be the manufacturer of a product (e.g., a cryptographic device) or an organization that wishes to develop a system that includes cryptographic devices. They could also be systems integrators, Value-Added Reseller, and third-party product developers. From the system implementors point of view, standards are most important if they intend to use products from several different manufacturers. Standards are essential to ensure compatibility.

Standards also ensure that as products change and evolve, different elements continue to work together.

Trends in Development and Implementation

There is normally a time lag from the completion of a standard to its implementation in products. Two very important standards from a security perspective are the X400 and X500 standards. These standards have applicability beyond security. X400, originally published in 1984, was enhanced in 1988 as X400(88) and again in 1992 as X400(92). A number of products implementing the X400(88) enhancements are now available, with a few implementing the 92 enhancements as well. Some organizations have implemented

Previous screen

mail systems using X400(88) and X500. Although the use of these standards requires careful planning, they provide considerable benefit to the organization.

A number of important areas are currently being worked on within several groups in the international community. These areas include:

· Security frameworks.

· Security guidelines.

· Security evaluation criteria.

· Security mechanisms.

Security Frameworks

Security frameworks are being developed based on the open systems security

architecture, IS7498-2. They expand on the security services identified within the security architecture. The frameworks do not identify mechanisms to implement a particular service, but they do identify requirements for services and an overall structure. As an example, the cryptographic key management framework 11770-1 provides a general overview, while the supporting parts address such specific mechanisms as key management using symmetric or asymmetric algorithms. The frameworks are being developed by International Standards Organization/International Electrotechnical Commission JTC1/Subcommittee 21

andISO/IEC JTC1/Subcommittee 27 in cooperation and are at differing stages of completion.

Security Guidelines

Security guidelines covering such areas as management, trusted third parties, baseline controls, and the use and selection of security services and mechanisms are in proposal or development stages. One of the most important projects within this area is the Guidelines for the Management of IT Security 13335. This guideline identifies the elements critical to security and the processes for their management. The guideline can be of use to the developers of standards to ensure that the elements and data that security requires are available. This assists implementors to ensure that all the elements are appropriately addressed for their environment.

Security Evaluation Criteria

The security evaluation criteria activity is of considerable importance. Currently there are a number of different sets of evaluation criteria in different countries. Without

intergovernmental agreements to accept other governments criteria, an evaluation of a product would have to be repeated. The International Standards Organization evaluation criterion is attempting to resolve this situation with an internationally determined set of functions, dependences, and assurance scales. This work is still in the early stages and is expected to take two to three years to complete. After its completion, this evaluation criterion should make the international purchasing and integration of security products considerably easier.

Security Mechanisms

The area of security mechanisms covers a considerable number of topics. To an extent, this area relates to the use of cryptographic techniques to address such aspects as the

Previous screen

integrity of information, authenticity, repudiation, authentication of entities, and

confidentiality. These sets of standards are of considerable importance in a distributed and networked environment. The ability to achieve these functions for electronic commerce is vital.

Problems and Potential Resolutions

There is wide diversity in the level of knowledge about information security standards.

Some organizations are very aware and make extensive use of standards. Others appear to have little knowledge or awareness of standards.

Many standards, particularly international ones, are very broad and permit several options. They do not contain an explanation of their intended use. Two products, both compliant with the standard, may not be compatible. As noted, this is a result of the consensus process. In addition, some standards (e.g., the Open Systems Interconnect Security Architecture IS 7489-2) are designed to allow the user of the standard to select from among several options. The US and UK governments open systems interconnect profiles (GOSIPs) reduce the number of options available but still allow some selection by the ultimate user of the standard. One partial resolution is to include a section explaining their intended use; another is the development of international standards profiles, which permit fewer options.

Standards are often hard to read and very technical. This perhaps stems more from a lack of understanding on the part of the user, because standards, for the most part, are intended for the implementor. Another criticism is that there is a lack of guidelines for the implementation of standards. To develop a guideline for every individual standard would be an enormous task and would considerably slow the standards development process.

Producing guidelines for areas of concern or groups of standards is perhaps a more manageable task. It is a requirement that the international and national standards writing bodies have recognized and are moving to address. The process to be followed is still performed by consensus and thus the development may be prolonged. However, the process of developing guidelines is somewhat less formal and, therefore, development should not take as long as that for developing standards.

Another comment that is often heard from the commercial sector is that the majority of standards for security are written in language that is more appropriate to the military and high-security disciplines. It should be pointed out that the majority of funds allocated to research and standards writing activities have been provided by military and intelligence groups, directly or indirectly. It is probably inevitable that the results appear to be for those fields. If the commercial areas want standards and research that is more appropriate to their needs, they must invest in the research that is needed.

The final comment most frequently heard is that standards development is slow and lags behind industry development. The slow process is recognized by those involved in standards development, and every effort is made to reduce unnecessary delay. Beyond this, the only resolution is to have greater participation and commitment to standards

development. As has been discussed, the consensus nature of the process inevitably causes delay. In addition, the voluntary nature of the process means that it is very dependent on the level of commitment to standardization of the participants.

Conclusion

Standards are necessary to ensure that proper communication occurs between systems.

Security standards provide a common basis for protection and management of information exchange.

Many groups can be involved in the development of standards, therefore, the development process can be slow. Although trends in improving development and

Previous screen

implementation are occuring, all standards development processes have imperfections. In many cases, resolution of the problems can be achieved within the organization

implementing the standards by following suggestions presented in this article.

To facilitate standards development, it is important that a wide cross-section of the community becomes involved in the process. This ensures that all parties using the standards are properly represented.

Author Biographies

John P. Hopkinson

John P. Hopkinson, ISP, CDRP, is a security architect for T-Base Research and Development Inc. in Ottawa, Canada.

Previous screen