The technological evolution that makes the Networked Society possible brings positive change in many dimensions, but also exposes new threats. To meet this challenge, security must be an ongoing and holistic process that guarantees connectivity, requires minimum user effort and protects communication, as well as addressing access and right to privacy concerns. Security efforts should center on three principles: a multi-stakeholder approach, integrated security and viewing security as a continuous process. ericsson White paper Uen 307 23-3230 | February 2014 Guiding principles for security in a networked society
11
Embed
White Paper: Guiding principles for security in a Networked Society
To fulfill the potential of the Networked Society, billions of people must be able to trust that communication networks are reliable and that the information carried over them is secure.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The technological evolution that makes the Networked Society possible brings positive
change in many dimensions, but also exposes new threats.
To meet this challenge, security must be an ongoing and holistic process that
guarantees connectivity, requires minimum user effort and protects communication,
as well as addressing access and right to privacy concerns.
Security efforts should center on three principles: a multi-stakeholder approach,
integrated security and viewing security as a continuous process.
ericsson White paperUen 307 23-3230 | February 2014
Guiding principles for security in a networked society
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • TRUST IN THE NETWORK 2
Trust in the NetworkWe are heading towards a future in which virtually everything people do will involve communication
over a network. This transformation is well underway, with the number of mobile subscriptions
reaching 6.7 billion, and mobile broadband subscriptions topping 2.1 billion, in 2013 [1]. By 2019,
there will be a projected 9.3 billion mobile subscriptions – more than the number of people on
the planet – including 5.6 billion smartphone subscriptions alone [2]. To this can be added vast
numbers of fixed line subscriptions and free hot spot accesses and more.
But this is only the beginning of a broader connected transformation, one that is already
revolutionizing industries such as medicine, energy, education, transportation and financial
transactions, just to name a few. Enabled by broadband everywhere, declining costs of connectivity
and increasing openness, this transformation will unlock massive value for people, business and
society, as information and communications networks – including the software and applications
critical to running them – become an increasingly critical infrastructure.
However, there is a fundamental quality that must be continuously earned, and that is trust.
Users, companies, governments and organizations of all kinds must be able to trust that networks
are robust and reliable and that the
information carried over them is secure. This
expectation is not new, but there will soon
be exponentially greater complexity within
– and dependence on – the communications
infrastructure, which will raise the stakes for
keeping the network and associated data
safe.
Security can be defined as the activities
necessary to predict, detect and counter
threats to the availability, integrity and
confidentiality of information and key assets.
These activities ensure the appropriate level
of security in products and services, and
they encompass deployment, security
functionality and development processes,
as well as the proper implementation of
security solutions and safeguarding of
network operations.
With these ideas in mind, security efforts
should be guided by these perspectives:
> services should always be available
> security should require minimum effort from users
> all communications should be protected
> it should not be possible to manipulate the information in the networks
> all access to information and data should be authorized
> the right to privacy should be protected.
To guarantee the adoption of these perspectives, stakeholders should focus on a few key
building blocks: a multi-stakeholder approach, a focus on integrated security, and a view of
security as a continuous process. Putting these into action will require openness and collaboration
within and across industries, national and international multilateral governing bodies, as well as
civil society organizations. This is instrumental for creating the standards and global best practices
that can best ensure secure networks, products, operations and product development practices,
assuring that security doesn’t become a barrier to reaching the potential of the Networked Society.
Figure 1: The integration of connectivity into our way of life.
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • TRANSFORMATIVE TECHNOLOGY, EMERGING THREATS 3
Transformative technology, emerging threats Powerful and robust communications networks are a foundation of the global economy, and they
are already sparking dramatic transformations in industries and society by enabling new ways
of innovating, collaborating and socializing. The scale of this economic and technological shift
is on par with the industrial revolution and its major innovations such as the steam engine,
electricity and steel manufacturing. To put the current situation in perspective, data traffic grew
by 70 percent between 2012 and 2013 alone, according to the Ericsson Mobility Report [1], with
mobile data traffic expected to grow by a factor of 10 by 2019.
As transformative technology and tools emerge, however, attacks on networks are becoming
ever more frequent, more sophisticated and are being felt across a broader spectrum of platforms,
networks, devices and services. The primary focus areas within security today include:
> devices, which have become more open
and more capable, as well as the new
possible uses of those devices, including
bring your own device (BYOD), and
machine-to-machine (M2M), which
typically features less capable devices.
> new communication patterns, such as
those involving M2M and social media.
The long lifetime of some devices – for
example, sensors – are an additional
challenge with their security features that
must be kept updated.
> a multitude of new third-party software
and application ecosystems.
> a wide variety of heterogeneous networks,
including Wi-Fi, local area networks,
software-defined networking and mobile
networks with high availability.
> cloud and big data, which raise many
governance, security and privacy
questions, for example, about where data
is stored and who owns and can access
data.
At the same time, the threat landscape is fragmented, with attacks targeting both users and
organizations coming from a wide range of actors, including hacktivists, organized crime and
groups practicing industrial espionage. Cyber-attacks from these sources target all kinds of
devices, services and networks, and come in a variety of forms, including information theft, fraud,
identity theft, denial of service and malware. But non-malicious users are also a danger, through
lack of awareness in the choice and handling of passwords and in spreading viruses and other
malware.
These security challenges have been well publicized, and there is a growing public awareness
of both online hazards and the need to update legal and social codes of conduct in this area. In
a recent Ericsson ConsumerLab study [3], 70 percent of respondents considered security issues
Figure 2: Mobile data traffic by segment, 2013 and 2019.
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • TRANSFORMATIVE TECHNOLOGY, EMERGING THREATS 4
a concern while online; almost 60 percent said they worried about online surveillance; and 56 percent
said privacy issues were a concern. When it came to first-hand experiences, 68 percent had dealt
with computer viruses themselves, and 31 percent stated that someone close to them has been
exposed to internet fraud.
The ConsumerLab researchers concluded that user perceptions of risk are built on a blend of
first-hand experiences and hearsay. This makes people aware of risk but leaves them unsure about
when, where and how to assign and assess those risks, as well as what actions to take if a problem
arises.
The effect of this uncertainty should not
be underestimated, and privacy, security
and safety concerns are already having a
direct effect on how people use
communication infrastructure. Through
transparency and engagement, it is crucial
to support consumers to move from a
simple awareness of risk to a better
understanding of how ICT works, in order to
increase users’ sense of safety and trust.
Yet, at the same time, security solutions
cannot be overly complicated and must
require only minimum effort from users –
whether they are individuals, enterprises or
network operators – while still providing the
appropriate level of security for any particular
context.
EVOLVING NETWORKS
The Networked Society is by nature heterogeneous, with multiple players – including operators,
vendors, developers, service providers and enterprises in a wide range of industries – involved in the
generation, communication, presentation and application of data. This means that networks are both
growing in size and complexity while also converging towards a common set of technologies.
Information that was previously carried on different types of telecommunications or access networks
is now increasingly combined onto interconnected IP-based networks. This allows the network to
serve as a common utility, with service providers able to increase geographical coverage, support a
growing subscriber base, and offer new services that cross business and borders. But at the same
time, if security is not properly addressed, this shift also makes networks more vulnerable. For
example, money transactions increasingly flow over the network, which provides new financial
incentives for cyber-attacks.
With open operating systems and development environments, smartphones and other smart
devices also allow software developers to publish – and for users to freely download and install –
apps. Combined with the increasing processing power and massive number of devices in use, this
creates an ecosystem in which attackers can exploit vulnerabilities to deploy malware, among other
cyber-attacks. For example, if devices are infected with malware that includes them in a bot network,
the devices could be used to mount attacks against users, services, enterprises and the radio network.
Figure 3: Consumers’ view on privacy and security online.
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • PERSPECTIVES ON SECURITY 5
Perspectives on security Consumers and enterprises must be able to trust that devices, services and networks are able
to protect their privacy and keep them safe from cyber-attack. This places tremendous pressure
on networks, service providers and device manufacturers when delivering relevant, personalized
services and applications. Since no single player alone can ensure the necessary level of security,
it is essential that every stakeholder collaborates and works with these perspectives in mind:
1. Services should always be available: Networks must be resilient and built in a way that allows
for fast recovery from attacks.
2. Security should require minimum effort from users: Security solutions must be usable, scalable,
manageable and non-intrusive.
3. All communications should be protected: Security needs to be defined, implemented, managed
and maintained not only as technical solutions but in compliance checks, secure operational
processes and procedures, and with regular auditing and improvement.
4. It should not be possible to manipulate the information in the networks: The intended receiver
of any data or communication should be able to access that information in its original form,
or be able to detect if it has been manipulated.
5. All access to information and data should be authorized: There must be proper security
mechanisms for authentication, authorization and access control.
6. The right to privacy should be protected: Users must feel their privacy is respected when
using networked services, including secure storage and secure transmission of data. With
this in mind, clarity, transparency and permissibility must be top priorities when handling
private information.
Achieving these goals will require stakeholders to work with broad and pragmatic principles
that provide users with both a high level of security end-to-end and safe experiences across
borders, ecosystems and products and services from different vendors and service providers.
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • A MULTI-STAKEHOLDER APPROACH 6
A multi-stakeholder approachSecurity can only be achieved by cooperation among industry stakeholders, policymakers,
regulators and civil society organizations, and then further guaranteed by open and transparent
processes. While it remains important for users to keep passwords secret, security mechanisms
– such as algorithms – that depend on secrecy cannot be completely trusted. Security solutions
build stronger trust if they can be openly discussed among experts, and withstand professional
scrutiny and peer review.
Governments, agencies and regulators around the world have recognized the economic and
social importance of this area, and the subject is high on political agendas, with the US [4], the
European Union [5] and India [6], among others, releasing either new or updated cybersecurity
strategies in the past year.
There is a real risk that uncoordinated global efforts in this area will lead to a diverging set of
security requirements, which would jeopardize not only interoperability, but make security that
much more complex to guarantee. Global standards and best practices are therefore fundamental
to the efficient handling of threats – especially those that originate across national borders – as
well as to building economies of scale, avoiding fragmentation and ensuring interoperability.
Therefore, it is essential that industry stakeholders – including operators, vendors, regulators,
policymakers and IT-focused companies, as well as players from other industries – work together
to set common and open security standards that specify what needs to be secure and protected,
rather than mandate the use of a particular technology.
Industry and governments have, over the years, developed standards, best practices and
security technologies that provide security on the internet and communication networks (for
example, IPsec, Secure Socket Layer / Hypertext Transfer Protocol
Secure and the 3GPP standards).
However, existing 3GPP and internet standards have not
completely addressed how to securely implement protocols, test
for vulnerabilities and manage security-related issues throughout
a product life cycle. In response to this, 3GPP has designed a new
set of standards, called Security Assurance Methodology (SECAM),
which establishes security requirements not just for products but
also for product development processes.
According to proposed SECAM rules, accreditors will verify a
3GPP manufacturer’s overall capability to produce products that
meet a given set of security requirements, which will eliminate the
need for explicit certification on a per product basis, while also
encouraging a solution based view [7].
Beyond standards, collaboration among relevant stakeholders
can encompass a number of practical areas, including information
exchange, threat analysis, performance analysis, sharing of best
practices and encouraging cutting-edge research. Cooperation is also important for other
emerging connected infrastructures – such as energy, transport and health care.
Stakeholders must also be aware of specific human rights challenges that arise, such as threats
to freedom of expression and the right to privacy, as well as other negative impacts that can
come from the misuse of connectivity and technology. Particularly, the use of ICT to restrict or
violate human rights – even if not an intended use of a given technology – poses a significant
ethical challenge for policymakers and actors across the entire ecosystem. It’s crucial that these
concerns are highlighted and addressed in a comprehensive way, and that stakeholders work
actively and collaboratively to minimize the risk of violations [8].
STANDARD BODIES AND OTHER ORGANIZATIONS
• Third Generation Partnership Project (3GPP)
• Alliance for Telecommunications Industry Solutions (ATIS)
• Cloud Security Alliance (CSA)
• European Telecommunications Standards Institute (ETSI)
• GlobalPlatform
• GSM Association GSMA
• Internet Engineering Task Force (IETF)
• International Organization for Standardization (ISO)
• International Telecommunication Union (ITU)
• Open Mobile Alliance (OMA)
• OpenID Foundation
• Openstack
• Trusted Computing Group (TCG)
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • A HOLISTIC VIEW 7
A holistic viewIt is crucial to work holistically with security, from developing products and creating network
architecture to designing operational processes and managing operations. When designing
solutions – which encompass management, products and services, and the situations in which
products and services work together – security must be part of the basic architecture, not patched
on as an afterthought. Only with secure development practices, secure products and secure
processes can networks be operated in a truly secure manner.
SECURITY FROM THE START
To ensure the appropriate security level, it is important to set ambition levels as early as possible
and then follow through on those plans with continuous focus on product or service implementation.
An effective model to accomplish this should include the following concepts:
> developing the right security functions for a product or service
> verifying that the security functionality works as expected
> documenting functionality to enable secure operations
> providing professional services to ensure
that security requirements are met.
The most important R&D processes to
assure system security include: risk
assessment, security function specification
and implementation, hardening and
vulnerability analysis.
Risk assessment investigates how likely it
is that a given product could be hacked or
attacked and what the impact would be,
examining issues such as which interfaces
are available and how the product is
accessed. The assessment should address individual products and groups of products with
similar functionality, while also taking into account possible external considerations.
It is important to select the appropriate security functionality and, through security assurance,
ensure that the end product has proper and correctly implemented security properties. This
means that security risks need to be first evaluated thoroughly. Appropriate countermeasures
can then be defined, either by introducing new security tools or specifying requirements on the
surrounding infrastructure or usage of the service or network node.
This process reaches far into deployment by, for example, hardening of platforms and other
operational instructions. Hardening guidelines provide instructions for customers and users to
configure the product to a particular security level, both when launching but also over time. All
of this ensures “end to end” security, which could also be described as “from design to operations.”
The vulnerability analysis then validates the quality of the product design by identifying,
evaluating and ranking any potential weaknesses through qualitative penetration and fuzz testing
– meaning real attacks on real network elements.
SECURITY BY DESIGN
Creating a secure system involves more than just considering the individual products that make
up the system. The network design itself contains many complex interdependencies that need
to be analyzed and then secured, and it is both more difficult and more expensive to address
security issues after a design is completed or already in production.
At the core of the concept of security by design are international standards and best practices,
as discussed above. Of particular importance in the design phase is the ISO 27000 family, which
provides processes and best practices for information security, and the ISO 15 408 Common
Criteria, which illustrates well-established methods for security assurance and mutual recognition,
with the proposed SECAM specifications from 3GPP a crucial step for increasing assurance in
future generations of more open telecom products.
Figure 4: Integrated process for product and service development.
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • SECURITY AS A CONTINUOUS PROCESS 8
Security as a continuous processThe focus on security cannot end when products are shipped, because security is neither a
product in itself nor something that is addressed only once. It must evolve within an ever-changing
environment, and R&D must interact with real-world usage in order to detect and identify new
threats, either via customer interaction or via collaborations between security incident response
teams.
Security must therefore be incorporated into the entire development process. Some important
specifics to focus on – besides risk assessment and vulnerability analysis – include secure coding
review and design architecture security review and code traceability.
Security research is also imperative to developing innovative next generation defense strategies
and architectures, which will allow
stakeholders to stay ahead of the technology
and methods behind malware and cyber-
attacks.
This ongoing focus is necessary both in
terms of a stakeholder’s internal processes,
as well as for how they cooperate, whether
regionally, within the organization itself, or
across industries. It is crucial to incorporate
security-related input and feedback from all
possible sources, as only this level of
cooperation can maintain and improve the
resilience of the global communications
infrastructure.
Looking at internal processes, this means that maintaining security is achieved by a well-
defined governance structure, which ensures that the entire organization stays focused on both
emerging threats and solutions. This applies to solution development processes and to sales
processes, which should ensure that product features are used in a manner compliant with all
relevant laws and regulations.
Good governance encourages cooperation among stakeholders and the development of
secure operational processes on a global scale. It also helps to get a regular awareness of
potential and actual security threats, as security concerns and practices vary widely by country
and a threat that affects one region today could impact another tomorrow. This type of collective
knowledge can help operators, vendors and others deliver more secure solutions and let them
feed new lessons directly into their own development process.
Figure 5: Continuously improving security.
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • CONCLUSION 9
ConclusionSecurity is a continuous process that will influence every sector of the digital ecosystem. It is
also an area that will become even more critical in the future, as technology and connectivity
reach into our lives for purposes we can’t even imagine. This requires a unified multi-stakeholder
approach that encompasses a range of threats and impacts, including network security and
economic considerations.
The breadth of this challenge will force vendors, operators, developers, governments and users
to view security holistically. Solution design processes must incorporate security from the start
and consider it at the device, platform, application, and system level, and companies and
organizations must put internal governance structures in place to foster an effective security
culture. All stakeholders must then focus on security as a continuous process. It will take this
level of collective vigilance to ensure that security doesn’t become a barrier to reaching the
potential of the Networked Society for people, business and society at large.
GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • GLOSSARY 10
GLOSSARYATIS Alliance for Telecommunications Industry Solutions
BYOD bring your own device
CSA Cloud Security Alliance
ETSI European Telecommunications Standards Institute
IETF Internet Engineering Task Force
IPsec IP Security
ISO International Organization for Standardization
M2M machine-to-machine
OMA Open Mobile Alliance
SECAM Security Assurance Methodology
TCG Trusted Computing Group
References1. Ericsson, February 2014, Ericsson Mobility Report interim update.
Available at: www.ericsson.com/mobility-report
2. Ericsson, November 2013, Ericsson Mobility Report.
Available at: http://www.ericsson.com/res/docs/2013/ericsson-mobility-report-november-2013.pdf
3. Ericsson ConsumerLab, February 2014, Privacy, security and safety online.
Available at: http://www.ericsson.com/res/docs/2014/privacy-security-safety-online.pdf
4. United States of America, Executive Order, The White House, Office of the Press Secretary, February 2013, Improving
Critical Infrastructure Cybersecurity.
5. European Commission, High Representative of the European Union for Foreign Affairs and Security Policy, February
2013, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace.
6. Republic of India, Ministry of Communication and Information Technology, Department of Electronics and Information
Technology, July 2013.
7. Ericsson Review, January 2014, Setting the standard: methodology counters security threats. Available at: