Universal Trusted Service Provider Identity to Reduce Vulnerabilities

Similar documents
A Criminal Intrudes into a Bank in Geneva Korean agents. Canadian agents make the arrest. Argentinian investigators. discover. attack came from Seoul

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

RESOLUTION 45 (Rev. Hyderabad, 2010)

IP Interconnection. Calvin S. Monson Vice President. Antigua September 2007

RESOLUTION 130 (REV. BUSAN, 2014)

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

RESOLUTION 130 (Rev. Antalya, 2006)

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Express Monitoring 2019

Legal framework of ensuring of cyber security in the Republic of Azerbaijan

PURPOSE STATEMENT FOR THE COLLECTION AND PROCESSING OF WHOIS DATA

NIS Standardisation ENISA view

Cyber Risks in the Boardroom Conference

CHAPTER 13 ELECTRONIC COMMERCE

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Promoting Global Cybersecurity

World Conference on International Telecommunications 2012 (WCIT-12) Arab Views on the ITRs and the WCIT-2012

Program 1. THE USE OF CYBER ACTIVE DEFENSE BY THE PRIVATE SECTOR

International Cooperation in Cybercrime Investigations

G8 Lyon-Roma Group High Tech Crime Subgroup

Cybersecurity & Spam after WSIS: How MAAWG can help

Identity Management. An overview of the status of some of the key IdM work (plus some thoughts from the sidelines) Mike Harrop The Cottingham Group

Garry Mukelabai Communications Authority Zambia

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

The Case for National CSIRTs

Information Security Incident Response Plan

Challenges in Developing National Cyber Security Policy Frameworks

CYBER SOLUTIONS & THREAT INTELLIGENCE

Accelerate Your Enterprise Private Cloud Initiative

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Legal Foundation and Enforcement: Promoting Cybersecurity

2 nd ARF Seminar on Cyber Terrorism PAKISTAN S PERSPECTIVE AND EXPERIENCE WITH REFERENCE TO CERT IN COMBATING CYBER TERRORISM

Massive M2M Communications: Challenges for NRAs

RESOLUTION 47 (Rev. Buenos Aires, 2017)

Cyber Security and Cyber Fraud

The President s Spectrum Policy Initiative

CYBERCRIME LEGISLATION DEVELOPMENT IN NIGERIA AN UPDATE. Octopus Conference, Strasbourg 06 June, 2012

Cybersecurity for ALL

DIGITAL AGENDA FOR EUROPE

Control Systems Cyber Security Awareness

Broadband Internet Access Disclosure

Telecommunications Regulation. EL SALVADOR Romero Pineda & Asociados

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

ICANN and Russia. Dr. Paul Twomey President and CEO. 10 June International Economic Forum St. Petersburg, Russia

ISACA National Cyber Security Conference 8 December 2017, National Bank of Romania


Fundamentals of Cybersecurity/CIIP. Building Capacity: Using a National Strategy & Self-Assessment

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets

Customer Proprietary Network Information

OUTLINE. I Overview: the Challenge of NGNs for regulation. Outline

Information Security Incident Response Plan

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Plenipotentiary Conference (PP- 14) Busan, 20 October 7 November 2014

Draft Resolution for Committee Consideration and Recommendation

ISAO SO Product Outline

Brazil (Federative Republic of) PROPOSALS FOR THE WORK OF THE CONFERENCE

Comprehensive Study on Cybercrime

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

ETSI Security Standards Workshop January 2006

Global cybersecurity and international standards

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Innovation policy for Industry 4.0

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

An Internet of Governments: How Policymakers Became Interested in Cyber. Maarten Van Horenbeeck, FIRST Klee Aiken, APNIC

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

RECOMMENDATION ITU-R M SECURITY PRINCIPLES FOR INTERNATIONAL MOBILE TELECOMMUNICATIONS-2000 (IMT-2000) (Question ITU-R 39/8) TABLE OF CONTENTS

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Legal, Ethical, and Professional Issues in Information Security

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

European Union Agency for Network and Information Security

CYBER SECURITY AND DATA PROTECTION Theme: Securing Businesses and Public Transactions. Regional Headquarters, The University of the West Indies, Mona

Cybersecurity and Vulnerability Assessment

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

Denial of Service Protection Standardize Defense or Loose the War

Regulation and the Internet of Things

NOW IS THE TIME. to secure our future

SECURITY & PRIVACY DOCUMENTATION

Personal Cybersecurity

The Impact of Cybersecurity, Data Privacy and Social Media

Regulator's involvement in and skills for ITU standardization: an example of Suisse OFCOM

KENYA YOUR RELIABLE PARTNER AT THE ITU. Candidate for the ITU Council in Region D

DeMystifying Data Breaches and Information Security Compliance

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

MUTUAL RECOGNITION MECHANISMS. Tahseen Ahmad Khan

Before the Federal Communications Commission Washington, D.C ) ) ) ) ) ) ) ) ) REPLY COMMENTS OF PCIA THE WIRELESS INFRASTRUCTURE ASSOCIATION

ECOWAS Cyber security Agenda

SIEM: Five Requirements that Solve the Bigger Business Issues

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

Starting from the basics: cybersecurity awareness campaigns in the electricity and energy sector

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Introduction to ITU and ITU-T activities. ITU-T, the Standardization Sector of ITU.

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Scaling Interoperable Trust through a Trustmark Marketplace

Transcription:

1.1 Session 3: Cyber-attacks: Are we ready for the battlefield of the 21st Century? 22 May 2008 Palais des Nations, Geneva Universal Trusted Service Provider Identity to Reduce Vulnerabilities Tony Rutkowski Vice President for Regulatory Affairs and Standards, VeriSign Co-editor, ITU-T Recommendation: Requirements for global identity management trust and interoperability Member, ITU High Level Experts Group on Cybersecurity Distinguished Fellow, Georgia Tech Nunn Center for International Strategy Technology and Policy mailto:trutkowski@verisign.com International Telecommunication Union

Introduction In the Cybersecurity Ecosystem, it is infrastructurebased capabilities that are most important Cybercrime arrangements are worth little except as they drive infrastructure forensic capabilities Among infrastructure-capabilities, it is trusted Identity Management that is most important Infrastructure includes all telecommunications/ict of which internets are just a small part Among Identity Management, it is trusted service provider identity capabilities that are the most important These capabilities have also the largest benefit-cost ratio: easily and quickly achievable at negligible cost and adverse impact The challenge is how to bring about infrastructurebased cybersecurity capabilities, especially global interoperable trust

Universal Trusted Service Provider Identity is essential Significantly diminishes existing and potential threats for Governments Providers Consumers Enhances infrastructure stability Provides developers and service providers with new trust service opportunities A universal service provider trust infrastructure can be implemented quickly, easily, and at minimal cost

Trusted-SPID is like doing a fingerprint check on the identity of a Service Provider Service Provider = everyone except end users (enhances privacy)

1995-2008: the cybersecurity Perfect Storm Service Provider trust that is essential for network security was provided by closed, fixed networks operating under substantial domestic and international regulatory regimes During the past decade open public networks (e.g., Internet), wireless, nomadicity, globalization, smart terminal devices, application providers, and a shift away from legacy regulatory regimes without the development of any kind of underlying global service provider trust infrastructure

The problem: provider identity and trust have disappeared In the legacy telecom world, service providers were identified and trust levels established through common carrier regulation In the IP-enabled, deregulated network world, it is difficult to identify who the service providers are, much less assess trust levels????

The lack of a trust infrastructure produced inevitable results Battlefield conditions Provider fraud, identity theft, phishing, SPAM, phantom traffic, Denial of Service attacks, CallerID spoofing, Critical Infrastructure vulnerabilities, etc The increasing transition of public IPenabled network infrastructures will exacerbate vulnerabilities The problems and abuses will likely continue to increase significantly without effective Service Provider identity trust remedies

What is required? A network platform for a universally recognized, globally unique identifier (a kind of call-sign) for each provider the ability to allow instant interoperable discovery and lookup of identity trust information associated with the provider Enable other providers and users to make trust decisions when relying on a provider s identity and assertions in any context or situation Governmental and Intergovernmental action to implement the platform Historically a basic role of the ITU and governments Unlikely to occur without governmental support

Enabling Service Provider Trust Standard universal overlay means for discovering and providing structured Service Provider Trust Information What trust information is available for 333.10.12345678+ 333.10.12345678+ 666.01.66666661+ 525.02.12345678+ 464.01.87654321+ Standard universal means of uniquely identifying Service Providers and capturing available structured Trust Information

Needs for Trusted Service Provider Identity Amongst Service Providers Infrastructure security and integrity Traffic exchange and settlements Roaming settlements Content IPR protection, controls and fee settlements Access of content/application providers to traffic termination providers Threat management; incident response trust capabilities Federation interoperability; provider bridging capabilities Access trust End Users Transaction trust, i.e., minimize fraud Protection against identity theft Protection of Personally Identifiable Information Preventing unwanted intrusions, e.g., SPAM, cyberstalking Trusted Caller/Sender ID Government Critical infrastructure protection Emergency telecommunication services Law enforcement forensics Public safety services Universal Service contributions Number resource allocations Government network security and integrity Network Neutrality Disability assistance Network Neutrality

Service Provider Trust Information Service Provider Credentials o X.509 PKI digital certificates o Other credentials Service Provider Assigned identifiers Service Provider Allocated Public Numbering Resources o Operational identifiers (e.g., OIDs, ITU Carrier Codes, E.212 MCC/MNCs, Autonomous System Number blocks, IP address handles) o Signalling point codes (SANS) o Public safety and emergency telecommunications identifiers o Billing and settlement identifiers o Regulatory identifiers o Tax identifiers o Law Enforcement identifiers (LI and retained retention) o o o E.164 number blocks IPv4/v6 addresses blocks Autonomous System Number blocks Service Provider Attributes o Legal name o Business names o Headquarters jurisdiction o Billing and settlement attributes o Federations o Emergency services authorizations and capabilities o Disability assistance capabilities o Customer support contacts o Privacy support capabilities o Additional regulatory, infrastructure protection, and security attributes Service Provider Patterns o Reputation datastores or metadata

Trusted Service Provider Identity Architecture TSPID Information TSPID Profile Information TSPID (TIP) Profile Information (TIP) Profile (TIP) Service Provider 1.Submits TIPS 2.Receives SPID Identifier + digital key Service Provider Trust Information can exist either at the Registration Authority or at any accessible network address Published templates that describe how to express Service Provider Trust Information TSPID Registration Authority 1.Accepts TIPs 2.Places TIPS in Query system 3.Issues unique SPID Identifier + digital key Published templates that describe how to assess Service Provider Trust Information TSPID Assurance TSPID Profile Assurance TSPID (TAP) Profile Assurance (TAP) Profile (TAP) Other Providers & End Users 1.Gets appropriate TAP for a transaction 2.Queries for TIPS from Registration Authority Service 3.Obtains Service Provider Service Trust Provider Trust Information Provider Service Trust Information Provider Trust Information Information 4.Assesses trust level

Trusted Service Provider Identity is core to cybersecurity

All technical implementation components exist today Trusted SPID requirements can be readily implemented on many different technical platforms Highest performance platform is found in the past seven years of work on for telephone numbers and product codes on Domain Name System Standards activity now underway in ITU-T and regional/national standards bodies All of the running code is available, open-source with no intellectual property constraints Highly synergistic with ongoing trust federation activities, NGN, and other industry developments The work incents an existing developer community to produce new trust applications

All legal system implementation components exist today ITU Constitution Art. 42 obligates signatories (nearly every nation) to take steps to avoid harm to facilities and telecommunications Maintaining the integrity of telecommunication infrastructure and services goes back to earliest treaty instrument in 1850 The obligation became a core component of the 1903 draft wireless radio convention Became integrated in 1920 as an obligation to organize as far as possible in such a manner as not to disturb the services of other Administrations Reflected in later instruments as an obligation to avoid harmful interference Expanded in 1989 in the ITU Constitution to avoid "technical harm to the operation of other telecommunication services of other Member States Every nation has the authority to implement registration capabilities for those constituting public ICT/telecommunication networks or offering services to the public over those networks Registration authority is widely implemented by telecom regulatory, justice, infrastructure protection, consumer protection, tax, and business agencies A requirement to register is not regulation

Is history repeating itself One hundred years ago New wireless digital networks and services were operating in chaos and harming each other's communications Nations joined together to adopt basic global norms and mechanisms Cooperate to minimize harm to another party s infrastructure and communications Facilitate interoperation Institute trusted service provider identity Agreement was finally achieved immediately after Titanic sinking

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback