Guiding principles for security in a networked society

Transcription

1 ericsson White paper Uen February 2014 Guiding principles for security in a networked society The technological evolution that makes the Networked Society possible brings positive change in many dimensions, but also exposes new threats. To meet this challenge, security must be an ongoing and holistic process that guarantees connectivity, requires minimum user effort and protects communication, as well as addressing access and right to privacy concerns. Security efforts should center on three principles: a multi-stakeholder approach, integrated security and viewing security as a continuous process.

2 Trust in the Network We are heading towards a future in which virtually everything people do will involve communication over a network. This transformation is well underway, with the number of mobile subscriptions reaching 6.7 billion, and mobile broadband subscriptions topping 2.1 billion, in 2013 [1]. By 2019, there will be a projected 9.3 billion mobile subscriptions more than the number of people on the planet including 5.6 billion smartphone subscriptions alone [2]. To this can be added vast numbers of fixed line subscriptions and free hot spot accesses and more. But this is only the beginning of a broader connected transformation, one that is already revolutionizing industries such as medicine, energy, education, transportation and financial transactions, just to name a few. Enabled by broadband everywhere, declining costs of connectivity and increasing openness, this transformation will unlock massive value for people, business and society, as information and communications networks including the software and applications critical to running them become an increasingly critical infrastructure. However, there is a fundamental quality that must be continuously earned, and that is trust. Users, companies, governments and organizations of all kinds must be able to trust that networks are robust and reliable and that the information carried over them is secure. This expectation is not new, but there will soon be exponentially greater complexity within and dependence on the communications infrastructure, which will raise the stakes for keeping the network and associated data safe. Security can be defined as the activities necessary to predict, detect and counter threats to the availability, integrity and confidentiality of information and key assets. These activities ensure the appropriate level of security in products and services, and they encompass deployment, security functionality and development processes, as well as the proper implementation of security solutions and safeguarding of network operations. With these ideas in mind, security efforts Figure 1: The integration of connectivity into our way of life. should be guided by these perspectives: > > services should always be available > > security should require minimum effort from users > > all communications should be protected > > it should not be possible to manipulate the information in the networks > > all access to information and data should be authorized > > the right to privacy should be protected. To guarantee the adoption of these perspectives, stakeholders should focus on a few key building blocks: a multi-stakeholder approach, a focus on integrated security, and a view of security as a continuous process. Putting these into action will require openness and collaboration within and across industries, national and international multilateral governing bodies, as well as civil society organizations. This is instrumental for creating the standards and global best practices that can best ensure secure networks, products, operations and product development practices, assuring that security doesn t become a barrier to reaching the potential of the Networked Society. GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY TRUST IN THE NETWORK 2

3 Transformative technology, emerging threats Powerful and robust communications networks are a foundation of the global economy, and they are already sparking dramatic transformations in industries and society by enabling new ways of innovating, collaborating and socializing. The scale of this economic and technological shift is on par with the industrial revolution and its major innovations such as the steam engine, electricity and steel manufacturing. To put the current situation in perspective, data traffic grew by 70 percent between 2012 and 2013 alone, according to the Ericsson Mobility Report [1], with mobile data traffic expected to grow by a factor of 10 by As transformative technology and tools emerge, however, attacks on networks are becoming ever more frequent, more sophisticated and are being felt across a broader spectrum of platforms, networks, devices and services. The primary focus areas within security today include: > > devices, which have become more open and more capable, as well as the new possible uses of those devices, including bring your own device (BYOD), and machine-to-machine (M2M), which typically features less capable devices. > > new communication patterns, such as those involving M2M and social media. The long lifetime of some devices for example, sensors are an additional challenge with their security features that must be kept updated. > > a multitude of new third-party software and application ecosystems. > > a wide variety of heterogeneous networks, including Wi-Fi, local area networks, software-defined networking and mobile networks with high availability. > > cloud and big data, which raise many governance, security and privacy questions, for example, about where data is stored and who owns and can access data. Figure 2: Mobile data traffic by segment, 2013 and At the same time, the threat landscape is fragmented, with attacks targeting both users and organizations coming from a wide range of actors, including hacktivists, organized crime and groups practicing industrial espionage. Cyber-attacks from these sources target all kinds of devices, services and networks, and come in a variety of forms, including information theft, fraud, identity theft, denial of service and malware. But non-malicious users are also a danger, through lack of awareness in the choice and handling of passwords and in spreading viruses and other malware. These security challenges have been well publicized, and there is a growing public awareness of both online hazards and the need to update legal and social codes of conduct in this area. In a recent Ericsson ConsumerLab study [3], 70 percent of respondents considered security issues GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY TRANSFORMATIVE TECHNOLOGY, EMERGING THREATS 3

4 a concern while online; almost 60 percent said they worried about online surveillance; and 56 percent said privacy issues were a concern. When it came to first-hand experiences, 68 percent had dealt with computer viruses themselves, and 31 percent stated that someone close to them has been exposed to internet fraud. The ConsumerLab researchers concluded that user perceptions of risk are built on a blend of first-hand experiences and hearsay. This makes people aware of risk but leaves them unsure about when, where and how to assign and assess those risks, as well as what actions to take if a problem arises. The effect of this uncertainty should not be underestimated, and privacy, security and safety concerns are already having a direct effect on how people use communication infrastructure. Through transparency and engagement, it is crucial to support consumers to move from a simple awareness of risk to a better understanding of how ICT works, in order to increase users sense of safety and trust. Yet, at the same time, security solutions cannot be overly complicated and must require only minimum effort from users whether they are individuals, enterprises or network operators while still providing the Figure 3: Consumers view on privacy and security online. appropriate level of security for any particular context. EVOLVING NETWORKS The Networked Society is by nature heterogeneous, with multiple players including operators, vendors, developers, service providers and enterprises in a wide range of industries involved in the generation, communication, presentation and application of data. This means that networks are both growing in size and complexity while also converging towards a common set of technologies. Information that was previously carried on different types of telecommunications or access networks is now increasingly combined onto interconnected IP-based networks. This allows the network to serve as a common utility, with service providers able to increase geographical coverage, support a growing subscriber base, and offer new services that cross business and borders. But at the same time, if security is not properly addressed, this shift also makes networks more vulnerable. For example, money transactions increasingly flow over the network, which provides new financial incentives for cyber-attacks. With open operating systems and development environments, smartphones and other smart devices also allow software developers to publish and for users to freely download and install apps. Combined with the increasing processing power and massive number of devices in use, this creates an ecosystem in which attackers can exploit vulnerabilities to deploy malware, among other cyber-attacks. For example, if devices are infected with malware that includes them in a bot network, the devices could be used to mount attacks against users, services, enterprises and the radio network. GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY TRANSFORMATIVE TECHNOLOGY, EMERGING THREATS 4

5 Perspectives on security Consumers and enterprises must be able to trust that devices, services and networks are able to protect their privacy and keep them safe from cyber-attack. This places tremendous pressure on networks, service providers and device manufacturers when delivering relevant, personalized services and applications. Since no single player alone can ensure the necessary level of security, it is essential that every stakeholder collaborates and works with these perspectives in mind: 1. Services should always be available: Networks must be resilient and built in a way that allows for fast recovery from attacks. 2. Security should require minimum effort from users: Security solutions must be usable, scalable, manageable and non-intrusive. 3. All communications should be protected: Security needs to be defined, implemented, managed and maintained not only as technical solutions but in compliance checks, secure operational processes and procedures, and with regular auditing and improvement. 4. It should not be possible to manipulate the information in the networks: The intended receiver of any data or communication should be able to access that information in its original form, or be able to detect if it has been manipulated. 5. All access to information and data should be authorized: There must be proper security mechanisms for authentication, authorization and access control. 6. The right to privacy should be protected: Users must feel their privacy is respected when using networked services, including secure storage and secure transmission of data. With this in mind, clarity, transparency and permissibility must be top priorities when handling private information. Achieving these goals will require stakeholders to work with broad and pragmatic principles that provide users with both a high level of security end-to-end and safe experiences across borders, ecosystems and products and services from different vendors and service providers. GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY PERSPECTIVES ON SECURITY 5

6 A multistakeholder approach Security can only be achieved by cooperation among industry stakeholders, policymakers, regulators and civil society organizations, and then further guaranteed by open and transparent processes. While it remains important for users to keep passwords secret, security mechanisms such as algorithms that depend on secrecy cannot be completely trusted. Security solutions build stronger trust if they can be openly discussed among experts, and withstand professional scrutiny and peer review. Governments, agencies and regulators around the world have recognized the economic and social importance of this area, and the subject is high on political agendas, with the US [4], the European Union [5] and India [6], among others, releasing either new or updated cybersecurity strategies in the past year. There is a real risk that uncoordinated global efforts in this area will lead to a diverging set of security requirements, which would jeopardize not only interoperability, but make security that much more complex to guarantee. Global standards and best practices are therefore fundamental to the efficient handling of threats especially those that originate across national borders as well as to building economies of scale, avoiding fragmentation and ensuring interoperability. Therefore, it is essential that industry stakeholders including operators, vendors, regulators, policymakers and IT-focused companies, as well as players from other industries work together to set common and open security standards that specify what needs to be secure and protected, rather than mandate the use of a particular technology. Industry and governments have, over the years, developed standards, best practices and security technologies that provide security on the internet and communication networks (for example, IPsec, Secure Socket Layer / Hypertext Transfer Protocol Secure and the 3GPP standards). However, existing 3GPP and internet standards have not completely addressed how to securely implement protocols, test for vulnerabilities and manage security-related issues throughout a product life cycle. In response to this, 3GPP has designed a new set of standards, called Security Assurance Methodology (SECAM), which establishes security requirements not just for products but also for product development processes. According to proposed SECAM rules, accreditors will verify a 3GPP manufacturer s overall capability to produce products that meet a given set of security requirements, which will eliminate the need for explicit certification on a per product basis, while also encouraging a solution based view [7]. Beyond standards, collaboration among relevant stakeholders can encompass a number of practical areas, including information exchange, threat analysis, performance analysis, sharing of best practices and encouraging cutting-edge research. Cooperation is also important for other emerging connected infrastructures such as energy, transport and health care. Stakeholders must also be aware of specific human rights challenges that arise, such as threats to freedom of expression and the right to privacy, as well as other negative impacts that can come from the misuse of connectivity and technology. Particularly, the use of ICT to restrict or violate human rights even if not an intended use of a given technology poses a significant ethical challenge for policymakers and actors across the entire ecosystem. It s crucial that these concerns are highlighted and addressed in a comprehensive way, and that stakeholders work actively and collaboratively to minimize the risk of violations [8]. STANDARD BODIES AND OTHER ORGANIZATIONS Third Generation Partnership Project (3GPP) Alliance for Telecommunications Industry Solutions (ATIS) Cloud Security Alliance (CSA) European Telecommunications Standards Institute (ETSI) GlobalPlatform GSM Association GSMA Internet Engineering Task Force (IETF) International Organization for Standardization (ISO) International Telecommunication Union (ITU) Open Mobile Alliance (OMA) OpenID Foundation Openstack Trusted Computing Group (TCG) GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY A MULTI-STAKEHOLDER APPROACH 6

7 A holistic view It is crucial to work holistically with security, from developing products and creating network architecture to designing operational processes and managing operations. When designing solutions which encompass management, products and services, and the situations in which products and services work together security must be part of the basic architecture, not patched on as an afterthought. Only with secure development practices, secure products and secure processes can networks be operated in a truly secure manner. SECURITY FROM THE START To ensure the appropriate security level, it is important to set ambition levels as early as possible and then follow through on those plans with continuous focus on product or service implementation. An effective model to accomplish this should include the following concepts: > > developing the right security functions for a product or service > > verifying that the security functionality works as expected > > documenting functionality to enable secure operations > > providing professional services to ensure that security requirements are met. The most important R&D processes to assure system security include: risk assessment, security function specification and implementation, hardening and vulnerability analysis. Risk assessment investigates how likely it is that a given product could be hacked or Figure 4: Integrated process for product and service development. attacked and what the impact would be, examining issues such as which interfaces are available and how the product is accessed. The assessment should address individual products and groups of products with similar functionality, while also taking into account possible external considerations. It is important to select the appropriate security functionality and, through security assurance, ensure that the end product has proper and correctly implemented security properties. This means that security risks need to be first evaluated thoroughly. Appropriate countermeasures can then be defined, either by introducing new security tools or specifying requirements on the surrounding infrastructure or usage of the service or network node. This process reaches far into deployment by, for example, hardening of platforms and other operational instructions. Hardening guidelines provide instructions for customers and users to configure the product to a particular security level, both when launching but also over time. All of this ensures end to end security, which could also be described as from design to operations. The vulnerability analysis then validates the quality of the product design by identifying, evaluating and ranking any potential weaknesses through qualitative penetration and fuzz testing meaning real attacks on real network elements. SECURITY BY DESIGN Creating a secure system involves more than just considering the individual products that make up the system. The network design itself contains many complex interdependencies that need to be analyzed and then secured, and it is both more difficult and more expensive to address security issues after a design is completed or already in production. At the core of the concept of security by design are international standards and best practices, as discussed above. Of particular importance in the design phase is the ISO family, which provides processes and best practices for information security, and the ISO Common Criteria, which illustrates well-established methods for security assurance and mutual recognition, with the proposed SECAM specifications from 3GPP a crucial step for increasing assurance in future generations of more open telecom products. GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY A HOLISTIC VIEW 7

8 Security as a continuous process The focus on security cannot end when products are shipped, because security is neither a product in itself nor something that is addressed only once. It must evolve within an ever-changing environment, and R&D must interact with real-world usage in order to detect and identify new threats, either via customer interaction or via collaborations between security incident response teams. Security must therefore be incorporated into the entire development process. Some important specifics to focus on besides risk assessment and vulnerability analysis include secure coding review and design architecture security review and code traceability. Security research is also imperative to developing innovative next generation defense strategies and architectures, which will allow stakeholders to stay ahead of the technology and methods behind malware and cyberattacks. This ongoing focus is necessary both in terms of a stakeholder s internal processes, as well as for how they cooperate, whether regionally, within the organization itself, or across industries. It is crucial to incorporate security-related input and feedback from all possible sources, as only this level of cooperation can maintain and improve the Figure 5: Continuously improving security. resilience of the global communications infrastructure. Looking at internal processes, this means that maintaining security is achieved by a welldefined governance structure, which ensures that the entire organization stays focused on both emerging threats and solutions. This applies to solution development processes and to sales processes, which should ensure that product features are used in a manner compliant with all relevant laws and regulations. Good governance encourages cooperation among stakeholders and the development of secure operational processes on a global scale. It also helps to get a regular awareness of potential and actual security threats, as security concerns and practices vary widely by country and a threat that affects one region today could impact another tomorrow. This type of collective knowledge can help operators, vendors and others deliver more secure solutions and let them feed new lessons directly into their own development process. GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY SECURITY AS A CONTINUOUS PROCESS 8

9 Conclusion Security is a continuous process that will influence every sector of the digital ecosystem. It is also an area that will become even more critical in the future, as technology and connectivity reach into our lives for purposes we can t even imagine. This requires a unified multi-stakeholder approach that encompasses a range of threats and impacts, including network security and economic considerations. The breadth of this challenge will force vendors, operators, developers, governments and users to view security holistically. Solution design processes must incorporate security from the start and consider it at the device, platform, application, and system level, and companies and organizations must put internal governance structures in place to foster an effective security culture. All stakeholders must then focus on security as a continuous process. It will take this level of collective vigilance to ensure that security doesn t become a barrier to reaching the potential of the Networked Society for people, business and society at large. GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY CONCLUSION 9

10 GLOSSARY ATIS BYOD CSA ETSI IETF IPsec ISO M2M OMA SECAM TCG Alliance for Telecommunications Industry Solutions bring your own device Cloud Security Alliance European Telecommunications Standards Institute Internet Engineering Task Force IP Security International Organization for Standardization machine-to-machine Open Mobile Alliance Security Assurance Methodology Trusted Computing Group GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY GLOSSARY 10

11 References 1. Ericsson, February 2014, Ericsson Mobility Report interim update. Available at: 2. Ericsson, November 2013, Ericsson Mobility Report. Available at: 3. Ericsson ConsumerLab, February 2014, Privacy, security and safety online. Available at: 4. United States of America, Executive Order, The White House, Office of the Press Secretary, February 2013, Improving Critical Infrastructure Cybersecurity. 5. European Commission, High Representative of the European Union for Foreign Affairs and Security Policy, February 2013, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace. 6. Republic of India, Ministry of Communication and Information Technology, Department of Electronics and Information Technology, July Ericsson Review, January 2014, Setting the standard: methodology counters security threats. Available at: 8. Ericsson, May 2013, ICT and Human Rights An ecosystem approach, Available at: Ericsson AB All rights reserved GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY REFERENCES 11