International body adopts network security standard

The International Organization for Standardization (ISO) approved last month a comprehensive model that identifies critical requirements to ensure end-to-end network security.

Specifically, the global standards group formally adopted ISO/IEC 18028-2, which defines a standard security architecture and provides a systematic approach to support the planning, design and implementation of information technology networks.

The standard is based on X.805, a framework Bell Labs created several years ago. The International Telecommunication Union (ITU), another standards body, adopted it before ISO.

Rati Thanawala, vice president of Bell Labs’ network planning, performance and economic analysis division, said the new ISO standard provides a consistent methodology for assessing end-to-end network security. She said it also provides a common language among IT network managers, administrators, engineers and security officers to address security with the emergence of new technologies and convergence of networks.

The standard also allows government and private-sector officials to perform cost-benefit analyses and better business continuity planning, Thanawala said.

“If you did have a disaster in communications, what is the impact of that?” she asked. “What is going to happen? It’s coming at a good time right now because right now is a very critical time for looking at security of communications networks.”

Bell Labs created the X.805 standard to ensure end-to-end interoperability and security for communications networks. Previously, it was an area driven by implementing devices, such as firewalls, here and there rather than looking at the issue holistically.

Thanawala said a working group was established about four years ago within ITU to address that issue, and it was then that Bell Labs created the X.805 architecture framework. For example, she said, there are not an infinite number of threats in a communications network, but only five.

“The five threats are how you can destroy information, corrupt information, remove information, disclose information or interrupt information,” she said. “There isn’t a sixth threat. Prior to taking a systemic approach to this, people thought there were an infinite number of threats to networks. But when you really get good subject-matter experts to sit down and start thinking about it, they said there are only five threats.”

Similarly, Thanawala said, there are only eight dimensions of security that must be addressed to prevent the exploitation of vulnerabilities. They include privacy, availability, integrity, communications flow, confidentiality, nonrepudiation, authentication and access control.

There are three security layers – infrastructure, services and applications – and three security planes – management, control and end-user – that represent the types of activities that take place on a network.

“So, basically there are five threats, eight dimensions, three security layers and three planes, and that’s a 72-cell matrix,” Thanawala said. “And that is the entire way of looking at security of any communications network. It could be the Internet. It could be the enterprise system. It could a sole operator.”

She said the standard is critical because communications is vital to many other infrastructures, such as banking and finance, transportation, and power.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.