Security experts define new priorities for security standardization
ETSI Headquarters, Sophia Antipolis, France - 29 January 2009
Standardization of security aspects of Information and Communication Technologies (ICT) continues to be a topic that needs careful balance, according the findings of the latest annual ETSI Security Workshop, which took place in January at ETSI's headquarters.
Nearly 100 security experts (plus numerous others participating by webcast) agreed that the current key issues were:
• prioritization of ICT standardization efforts: what areas should be (or should not be) addressed by standardization, especially in the face of the current global economic downturn;
• the need to better address citizens' security and privacy in current and emerging standards;
• the need for better evaluation of the use of standards and the need to assess the effectiveness of their implementation.
Charles Brookson, Chairman of ETSI's Security co-ordination group, said 'The Workshop, chaired this year by Carmine Rizzo, is unique in that it brings together colleagues from many other organisations concerned with security, such as the European Commission, ENISA, CEN, CENELEC, OMTP, ITU-T and 3GPP. With industry speakers as well, it gives a good overview of all the latest progress through a wide breadth of security initiatives'.
The workshop enabled experts from around the world to review and re-define standardization priorities within the ICT security sector. Delegates agreed that, whilst there are already many security-related standards available (from ETSI and other organizations), the choice of which security aspects to standardize is critical, as is the need for good co-ordination between standards organizations. Areas where systems interconnect or interact, including networked critical infrastructures, public safety communications and areas that include the electronic storage or exchange of personal information, were all judged to be of vital importance.
Ultimately, standards need to be appropriate to real needs, so consultations with, and participation by, users and other stakeholders were also considered vital. The workshop reiterated that standardization must never be viewed in isolation but rather as part of a process that includes research, development, implementation and maintenance.
The delegates also agreed that the ability to demonstrate compliance with standards was of fundamental importance if the effectiveness of security measures in the implemented products using the standards is to be assured. Standards-makers were therefore encouraged to ensure that the standards can be validated and feedback from standards users integrated into the ongoing standards-making process. This implies also the need to enhance testing efforts in terms of standards conformity and interoperability. The possibility for some sort of 'seal of approval' for products, services and processes was also thought to be desirable.
Workshop discussions indicated that standards currently suffer from insufficient attention to the issue of privacy. For example, while the work done so far on identity management is beginning to address some of the issues of managing personally identifiable information, it does not yet address the broader implications for the privacy of the citizen. Concern was expressed that there is considerable potential for information to be collected inappropriately or unnecessarily. Identity brokers holding large amounts of private information, maybe aggregated from a variety of sources, could become prime targets of attack, and such information may be held in jurisdictions that are beyond the reach of existing privacy legislation.
At the same time it was pointed out that many people do not pay enough attention to their own privacy e.g. by providing personal information too freely and without considering how it will be used. Nevertheless, information collected is, in many countries, covered by privacy laws and regulations. Governments should continue to adopt measures to protect the privacy of their citizens, as the average user cannot realistically be considered to have the technical knowledge and expertise to manage his/her own privacy effectively. Delegates declared that ICT standardization can help to resolve these concerns, firstly by clearly recognizing the need to address privacy aspects, and then by embedding them into standards from the very beginning.
Work on security standardization will continue in ETSI and the other organizations represented, and the conclusions of the 2009 Security Workshop are judged to be extremely valuable in ensuring that the work remains timely and focused on the key issues. Delegates also took a way a number of new challenges (notably testing considerations and the development of metrics in security) for their future work.
The 2009 Workshop programme, speaker details and copies of presentations can be found at: http://www.etsi.org/SECURITYWORKSHOP
An existing ETSI White Paper on ICT Security was updated for the event. The document discusses the diversity of security issues within ICT and outlines ETSI's responses to them. The White Paper is available free of charge at:
- ENDS -
ETSI produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and internet technologies and is officially recognized by the European Commission as a European Standards Organization. ETSI is a not-for-profit organization whose 700 ETSI member organizations benefit from direct participation and are drawn from 62 countries across 5 continents worldwide.
For more information please visit: www.etsi.org