International body adopts network security standard

The International Organization for Standardization (ISO) approved last month a comprehensive model that identifies critical requirements to ensure end-to-end network security.

Specifically, the global standards group formally adopted ISO/IEC 18028-2, which defines a standard security architecture and provides a systematic approach to support the planning, design and implementation of information technology networks.

The standard is based on X.805, a framework Bell Labs created several years ago. The International Telecommunication Union (ITU), another standards body, adopted it before ISO.

Rati Thanawala, vice president of Bell Labs’ network planning, performance and economic analysis division, said the new ISO standard provides a consistent methodology for assessing end-to-end network security. She said it also provides a common language among IT network managers, administrators, engineers and security officers to address security with the emergence of new technologies and convergence of networks.

The standard also allows government and private-sector officials to perform cost-benefit analyses and better business continuity planning, Thanawala said.

“If you did have a disaster in communications, what is the impact of that?” she asked. “What is going to happen? It’s coming at a good time right now because right now is a very critical time for looking at security of communications networks.”

Bell Labs created the X.805 standard to ensure end-to-end interoperability and security for communications networks. Previously, it was an area driven by implementing devices, such as firewalls, here and there rather than looking at the issue holistically.

Thanawala said a working group was established about four years ago within ITU to address that issue, and it was then that Bell Labs created the X.805 architecture framework. For example, she said, there are not an infinite number of threats in a communications network, but only five.

“The five threats are how you can destroy information, corrupt information, remove information, disclose information or interrupt information,” she said. “There isn’t a sixth threat. Prior to taking a systemic approach to this, people thought there were an infinite number of threats to networks. But when you really get good subject-matter experts to sit down and start thinking about it, they said there are only five threats.”

Similarly, Thanawala said, there are only eight dimensions of security that must be addressed to prevent the exploitation of vulnerabilities. They include privacy, availability, integrity, communications flow, confidentiality, nonrepudiation, authentication and access control.

There are three security layers – infrastructure, services and applications – and three security planes – management, control and end-user – that represent the types of activities that take place on a network.

“So, basically there are five threats, eight dimensions, three security layers and three planes, and that’s a 72-cell matrix,” Thanawala said. “And that is the entire way of looking at security of any communications network. It could be the Internet. It could be the enterprise system. It could a sole operator.”

She said the standard is critical because communications is vital to many other infrastructures, such as banking and finance, transportation, and power.