Information Security / Information security and the need for interoperability standards
Information security and the need for interoperability standards
18 September 2018
Elisabetta Zaccaria, chairman of Secure Chorus, discusses information security gaps in today’s interconnected world and highlights the importance of developing interoperability standards through industry collaboration.
Today, the global digital economy is growing at an unprecedented rate in both complexity and scale, with the result that commercial and governmental organisations are confronted daily by a multi-faceted security threat landscape. As the number of high-profile security breaches hitting the headlines escalates, organisations are becoming more concerned about data security, especially as the requirement to transmit data to third parties outside their security perimeter and across geographical boundaries increases. Attacks on critical national infrastructure (CNI), healthcare organisations, financial institutions and industry will become the new norm, with the consequences of such breaches in data security potentially catastrophic.
With digital communication products being produced the world over, by an expanding number of technology providers, incompatibilities between these products are a source of information security risk. Technology products that fail to maintain compatibility with other products (a feature known as ‘interoperability’) tend to create scenarios in which users resort to transferring (or processing) data from one technology product to another in an insecure way. To combat this, there is now a pressing requirement for industry to co-operate on the development of interoperability standards.
Technology standards are industry-wide published documents that establish specifications and procedures in the areas of product reliability, safety, security and interoperability (in order to achieve compatibility with other technology products). Because of their widespread availability and applicability they also foster innovation, often simplifying the product development process.
There are two main ways in which technology standards are created. The first is the emergence of a ‘de facto’ standard that becomes widely adopted and accepted by an industry. Second is the development of a consensus-based standard, achieved through the mutual agreement of standards development industry groups or bodies, such as European Technology Standards Institute (ETSI), Internet Engineering Task Force (IEFT), IEEE, IEC (International Electrotechnical Commission) or ISO (International Organization for Standardization).
There is an increasing need within user communities for interoperable information security technologies. Many organisations rely on a mixture of data processing and multimedia communication systems and solutions in a diverse landscape of systems and solutions, sometimes referred to as ‘heterogeneous computing environments’. Even if an organisation chooses to adopt a single system for all their needs – a homogenous internal computing environment – users are faced with heterogeneity outside their organisation’s security perimeter. Security gaps created by non-compatible technologies present major information security challenges, making interoperability even more important in order to maintain effective intra- and inter-organisational data security.
The benefits of interoperability also extend beyond security. These include a reduction in operational cost and complexity. The ability for these technologies to interoperate reduces the cost of building and supporting a heterogeneous infrastructure. Customers will also continue to have internal and external mixed security environments, a ‘best-of-breed’ environment in which opportunities to adopt new innovative solutions can flourish.
Secure Chorus, is a not-for-profit membership organisation serving as a platform for government-industry collaboration for the development of strategies, common interoperability standards and tangible capabilities for the information security sector. Central to the Secure Chorus philosophy is that to effectively address data security requirements in enterprise, vendors need to offer information security technologies that are interoperable
All Secure Chorus member technologies use MIKEY-SAKKE, an open cryptography standard. This has enabled Secure Chorus to define with its members a range of interoperability standards that ensures members’ products can work with one another and the systems implementing these technologies
MIKEY-SAKKE identity-based public key cryptography provides for end-to-end encryption and can be used in a variety of environments, both at rest (e.g. storage) and in transmission (e.g. network systems). Designed to be centrally managed, it gives enterprises full control of system security as well as the ability to comply with any auditing requirements, through a managed and logged process. Additional benefits include scale and flexibility
MIKEY-SAKKE has been developed by the UK government’s National Technical Authority for Information Assurance (CESG), which is now part of the National Cyber Security Centre (NCSC) and a government member of Secure Chorus. MIKEY-SAKKE was standardised by the Internet Engineering Task Force (IEFT). It has also recently been approved by the 3rd Generation Partnership Project (3GPP), the body responsible for standardising mobile communications for use in critical applications, receiving endorsement at global level for its approach to public key cryptography.
Despite the appropriate use of standards being clearly beneficial to achieving a strong approach to security in a cross-border environment – with some providers regarding their use of recognised standards as a unique selling point – these standards aren’t always adopted across industry. This resistance to common standards usually comes in the form of market-dominant companies retaining their own proprietary standards, with the result that several major companies are not supporting and implementing common standards for their products.
The main advantage of proprietary standards for market-dominant companies is that they lock the customer in to their product. But this is not necessarily a benefit to the customer, as this ‘lock-in’ removes the flexibility to specify or integrate compatible products from other vendors. . This ultimately has a negative effect on innovation, and has the strong potential to prevent users from choosing a solution that best matches their requirements
Secure Chorus’ vision is to break away from the vendor ‘lock-in’ product approach and move towards an ecosystem of interoperable information security technologies. In doing so, the marketplace will be more open to innovation, and most importantly, will make the sharing of data much safe
About Elisabetta Zaccaria, Chairman Secure Chorus
Elisabetta is co-founder and Chairman of Secure Chorus, prior to which she was Group Chief Strategy Officer & Chief Operating Officer of Global Strategies Group, where she set the strategy and co-led the company’s explosive growth, turning the start-up into a $600million revenue international business in six years.
About Secure Chorus
Secure Chorus is a not-for-profit membership organisation, serving as a platform for government-industry collaboration, for the development of strategies, common technology standards and capabilities for the long-term information security of our global digitally enabled economy. For more information visit www.securechorus.org and follow the company on LinkedIn and Twitter.