(Continuation of Question 15/13)
Motivation
While the public switched telephone networks (PSTNs) that use
circuit based technology are relatively secure, security threats on the evolving
telecommunications infrastructure are on the increase – both in frequency and in
complexity. Efforts over the years to secure packet infrastructures have been
somewhat fragmented and event-driven and so far have failed to produce the
desired level of protection against threats. This issue is complicated by the
large number of organizations working on various aspects of security, making
coordination and cooperation difficult and challenging.
Recognizing that security is one of the defining features of NGN, it is
essential to put in place a set of standards that will guarantee, to the maximum
degree possible, the security of the NGN. One example of a new application and
architecture, which requires specific and new set of mechanisms is IPTV.
A major development that needs detailed standardization is NGN identity
management (IdM). In particular, Study Group 13 needs to address, in the context
of NGN, the broad IdM issues of concern to telecom network/service providers,
governments, and end users. This includes assertion and assurance of entity
identities (e.g. user, device, service providers) noted in the following,
non-exhaustive list:
- Efficient support of subscriber services (e.g. NGN services and
applications) using common IdM infrastructure to support multiple applications
including inter-network communications
- Appropriate secure provisioning of the network devices
- Ease of use and single sign-on / sign-off
- Public safety services
- International emergency and priority services
- Electronic government (e-Government) services
- Privacy/user control of personal information (i.e. protection of personal
identifiable information [PPII])
- Security (e.g. confidence of transactions, protection from identity (ID)
theft) and protection of NGN infrastructure, resources (services and
applications) and end users information
- National security and critical infrastructure protection
As NGN evolves and new security vulnerabilities appear, for which there is no
known immediate automatic remedy, such vulnerabilities must be properly
documented so as to enable the network administrators and end users to mitigate
them. The NGN security studies must address and develop network architectures
that:
- Provide for maximal network and end-user resource protection
- Allow for highly-distributed intelligence end-to-end
- Allow for co-existence of multiple networking technologies
- Provide for end-to-end security mechanisms
- Provide for security solutions that apply over multiple administrative domains
- Provide for secure identity management, which involves, but not limited to:
- Reliable authentication of the NGN entities (e.g. users, user devices, network
providers, service providers, identity providers, etc.)
- Prevention of the unauthorized access to identity data in NGN
- Secure exchange of identity information among federated entities in NGN
- Support for the record-keeping of the use of identity information in NGN
- Support for the user privacy and anonymity in NGN
- Capability of supporting the NGN users to securely manage their identity
information (e.g. modifying user profiles, changing passwords, enabling
location-based services, viewing billing records, etc.)
- Provide for security solutions for IPTV that are cost-effective and have
acceptable impact on the performance, quality of service, usability, and
scalability. The types of protection that IPTV security should provide include,
but not limited to:
- Content protection
- Service protection
- Network protection
- Terminal protection
- Subscriber protection
- Provide for security solutions, which support the cases where the mobile
terminal serves as a payment or banking terminal, and the NGN network is used as
a transport system to carry transaction flows. The security issues addressed
here include network and interface capabilities and functions to support:
- Transaction protection
- Privacy policy
- Financial infrastructure protection
- Subscriber protection
- Identity management aspects
- The complexity of the issue necessitates a systematic study of general
security mechanisms and applications developed in ITU-T Study Group 17, the lead
study group on security, ISO/IEC JTC 1/SC 27, ATIS, 3G Partnership Projects,
IETF, and other applicable SDOs as well as interface and protocol specific
mechanisms developed in the relevant ITU-T study groups and the IETF working
groups.
Recommendations under responsibility of this Question include: Y.2701, Y.2702,
etc.
Question
Study items to be considered include, but are not limited to:
- What new Recommendations, enhancements to existing Recommendations or guidance
to other study groups are needed to standardize identification and cataloguing NGN threats and vulnerabilities?
- What are the security requirements of NGN to effectively counter these
threats? Which of these requirements should be included in all next generation
networks and which could be offered as an optional service?
- What new Recommendations or guidance are necessary to enable comprehensive,
end-to-end security in NGN that span across multiple heterogeneous
administrative domains?
- What new Recommendations or guidance are necessary to enable attachment of
terminals in a secure fashion, including authentication, authorization, and
accounting (AAA) considerations, to NGN?
- How to define security architecture of identity management in next generation
networks?
- What are security requirements to identity management in NGN?
- What new Recommendations are needed for supporting security requirements of
identity management in NGN?
- What new Recommendations are needed for supporting secure interoperability
among different circles of trusts (CoT) in NGN?
- What are security requirements of IPTV as its study evolves?
- What new NGN Recommendations are needed for supporting security requirements
of IPTV?
- What new NGN Recommendations are needed for supporting security of financial
transactions
- What enhancements to existing Recommendations are required to provide energy
savings directly or indirectly in information and communication technologies (ICTs)
or in other industries? What enhancements to developing or new Recommendations
are required to provide such energy savings?
Tasks
Tasks include, but are not limited to:
- Lead the NGN-specific security project-level issues within Study Group 13 and
with other study groups.
- Ensure the developed NGN architecture is consistent with accepted security
principles.
- Ensure that AAA principles are integrated as required throughout the NGN.
- Ensure that identity management solutions meet security requirements of NGN.
- Ensure that security solutions for IPTV are consistent with security
requirements of NGN.
Specifically,
- Study and define the functional architectural concepts for integration of a
common identity management (IdM) infrastructure in the NGN architecture to be
used by multiple NGN application and services (e.g. IPTV, voice and data).
- Study and define the functional architectural concepts for the exchange of IdM
information between next generation networks, and IdM bridging/interoperability
between an NGN and other different types of networks (e.g. the public Internet).
- Study and specify the components capabilities (e.g. discovery, policy and
trust model, authentication and authorization, assertions, credential lifecycle
management) of a framework and the associated requirements for NGN IdM.
- Study and specify the requirements and capabilities for NGN identity assurance
(e.g. assurance levels and authentication method). This includes mechanisms to
allow mapping and interworking between different assurance approaches and
methods that might be adopted in various national networks.
- Study and specify requirements and guidelines for NGN support of
authentication capabilities using biometrics (tele-biometrics), smart cards and
security tokens. This includes requirements and guidelines to protect biometric
data, smart cards, and security tokens assurance capabilities used to support
services/applications such as tele-medicine, e-Government services, and
national/inter-national government services?
- Identify the internal and external interfaces in the NGN for exchange of IdM
information. Define the interface specification including protocols and
mechanisms (e.g. SAML, Diameter, SIP).
- Study and define requirements for protection of an end user subscriber’s
personally identifiable information (PII) in the NGN. This includes requirements
and approaches to allow user control of PII and network mechanisms for adherence
to policy regarding PII and information dissemination.
- Study and define the requirements to protect IdM systems. Provide guidelines
and approaches on how to use IdM capabilities as a means for NGN providers to
exchange information and coordinate responses against cyber-attacks.
- Study and define the use scenarios, requirements, architecture, and
information flows for the security of mobile financial environment.
- Consider enhancements to existing Recommendations are required to provide
energy conservation directly or indirectly in information and communication
technologies (ICTs) or in other industries. Consider enhancements to developing
or new Recommendations are required to provide energy conservation.
Approval procedure
Traditional Approval Procedure shall be the default for all Draft Recommendations developed by Q.16/13.
Relationships
Recommendations: X.800-series, Y-series
Questions: Relevant Questions on NGN networking, architecture, and QoS (where
authentication and authorization are required for access to resources)
Study groups: All ITU-T Study Groups, ITU-R, ITU-D
Standardization bodies, fora, and consortia:
- ISO/IEC JTC1 SC 27
- ATIS
- ETSI
- TIA
- IETF
- 3GPP
- 3GPP2
- DSL Forum
- OMA
- OASIS
- Liberty Alliance
|