This issue of XML Daily Newslink is sponsored by:
Microsoft Corporation http://www.microsoft.com
- NIST Issues First Release of Framework for Smart Grid Interoperability
- Transport of Real-time Inter-network Defense (RID) Messages
- The acr URI for Anonymous Users
- Cryptographic Key Management Workshop Summary: NIST IR 7609
- Mark Logic Launches Information Infrastructure in the Cloud
- End-to-End Encryption: Beyond PCI Compliance
NIST Issues First Release of Framework for Smart Grid Interoperability
Staff, U.S. National Institute of Standards and Technology (NIST) SP
"The U.S. Commerce Department's National Institute of Standards and Technology (NIST) has published an initial list of standards, a preliminary cyber security strategy, and other elements of a framework to support transforming the nation's aging electric power system into an interoperable Smart Grid. The 145-page NIST Special Publication 1108 is titled NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0, produced by the U.S. Office of the National Coordinator for Smart Grid Interoperability...
Under the Energy Independence and Security Act of 2007 (EISA), the National Institute of Standards and Technology (NIST) is assigned the primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of Smart Grid devices and systems... Recognizing the urgency, NIST developed a three-phase plan to accelerate the identification of an initial set of standards and to establish a robust framework for the sustaining development of the many additional standards that will be needed and for setting up a conformity testing and certification infrastructure.
This document is the output of the first phase of the NIST plan. It describes a high-level conceptual reference model for the Smart Grid, identifies 75 existing standards that are applicable (or likely to be applicable) to the ongoing development of the Smart Grid, specifies fifteen high-priority gaps and harmonization issues (in addition to cyber security) for which new or revised standards and requirements are needed, documents action plans with aggressive timelines by which designated standards-setting organizations (SSOs) will address these gaps, and describes the strategy to establish requirements and standards to help ensure Smart Grid cyber security. This document was drafted through an open public process that engaged the broad spectrum of Smart Grid stakeholder communities and the general public. Input was provided through three public workshops in which more than 1,500 individuals representing hundreds of organizations participated.
In this report, the total (75 standards) is divided into two sets. The first set of 25 standards, specifications, and guidelines is the product of three rounds of review and comment. The set of 50 additional standards was compiled on the basis of stakeholder inputs received during the second and third rounds of review and comment. Some of the standards in the two sets are mature, others require revisions to accommodate Smart Grid applications and requirements, and still others are in the draft stage and not yet publicly available. As part of the Priority Action Plans devised during the first phase of the NIST plan for Smart Grid interoperability, candidate standards requiring revisions and draft standards still in development are undergoing further review and consensus development. Collectively, these 75 standards represent a small subset of the totality of standards that ultimately will be required to build a safe, secure Smart Grid that is interoperable, end to end..."
See also: the NIST announcement
Transport of Real-time Inter-network Defense (RID) Messages
Kathleen M. Moriarty and Brian H. Trammell (eds), IETF Internet Draft
IETF has released an updated version of the Standards Track specification Transport of Real-time Inter-network Defense (RID) Messages. Abstract: Documents intended to be shared among multiple constituencies must share a common format and transport mechanism. The Incident Object Description Exchange Format (IODEF) defines a common XML format for document exchange, and Realtime Internetwork Defense (RID) defines extensions to IODEF intended for the cooperative handling of security incidents within consortia of network operators and enterprises. This document outlines the transport of IODEF and RID messages over HTTP/TLS.
The Incident Object Description Exchange Format (IETF Standards Track Request for Comments #5070, Proposed Standard) The Incident Object Description Exchange Format (IODEF) is a format for representing computer security information commonly exchanged between Computer Security Incident Response Teams (CSIRTs). It provides an XML representation for conveying incident information across administrative domains between parties that have an operational responsibility of remediation or a watch-and-warning over a defined constituency. The data model encodes information about hosts, networks, and the services running on these systems; attack methodology and associated forensic evidence; impact of the activity; and limited approaches for documenting workflow..."
IODEF defines a message format, not a transport protocol, as the sharing of messages is assumed to be out of scope in order to allow CSIRTs to exchange and store messages in a way most suited to their established incident handling processes. However, extensions such as Real-time Inter-network Defense (RID) do require a specification of a transport protocol to ensure interoperability among members in a RID consortium.... Note that any IODEF message may also be transported using this mechanism, by sending it as a RID Report message.
For RID Messages over HTTP/TLS, each RID server is both an HTTP/ TLS server and an HTTP/TLS Client. When a RID message must be sent, the sending RID system connects to the receiving RID system and sends the message, optionally receiving a message in reply. All RID systems MUST be prepared to accept HTTP/TLS connections from any RID peer with which it communicates, in order to support callback for delayed replies..."
The acr URI for Anonymous Users
Sune Jakobsson and Kevin Smith (eds), IETF Internet Draft
IETF has published an initial level -00 Informational Internet Draft with the title The acr URI for Anonymous Users. The document specifies a new URI (Uniform Resource Identifier) scheme "acr" which describes an anonymous reference that can be mapped to a resource or user.
There are multiple situations where the true identity of a user or a resources can not be disclosed. The "acr" URI is a globally unique identifier ('name') only; it does not describe the steps necessary to reach the user or the device. However it can contain a parameter indication what body or organisation that could resolve it. It is intended for privacy protection, where a user trusts a translating party, that can route or forward the request or message to the true user or resource.
The 'anonymous-subscriber-identifier' can be created from some suitable user or customer data such as, phone number, and validation date. In order to provide anonymisation, this data MUST not be included unchanged within the ACR. Rather it MUST be encrypted, hashed, represented by a lookup reference or otherwise obfuscated. The issuing provider is responsible for dereferencing the ACR to the user or resource.
Existing privacy policies and legislation restrict the sharing of certain user identifiers, such as the MSISDN, since it may be used to broach a user' s privacy (unauthorized location lookup, cold calling, SMS Spam etc.). An ACR prevents such identifiers from being circulated. Mobile, broadband and other access networks do not typically share a user identifier. The acr is not bound to a particular access network and can hence be used to provision user identifiers between networks. The ACR can also help the implementation of SIP privacy considerations, as detailed in RFC 3323; specifically the ACR can be used as the value for the 'anonymous from' header field, and is consistent with the recommendation to remove Subject, Call-info, Organization, User Agent, Reply-To, and In-Reply-To..."
Cryptographic Key Management Workshop Summary: NIST IR 7609
Staff, U.S. National Institute of Standards and Technology Interagency Report
Members of NIST's Computer Security Division Information Technology Laboratory have released the final NIST Interagency Report 7609 Cryptographic Key Management Workshop Summary (from) June 8-9, 2009. Edited by Elaine Barker, Dennis Branstad, Santosh Chokhani, and Miles Smid, this 67-page report [NIST Interagency Report - IR 7609] provides highlights of a workshop that was held in June 2009 to discuss the current state of key management systems, to identify future needs, and to discuss the development of a Cryptographic Key Management Design Framework that will address the issues discussed during the workshop. The intended audience of this document includes individuals and organizations seeking to better understand cryptographic key management, with an emphasis on those planning to design, procure, or use a secure CKM system.
On June 8 and 9, 2009, NIST held a Cryptographic Key Management (CKM) Workshop at its Gaithersburg, Maryland, campus that attracted approximately 80 people attending the workshop in person, with another 75 participating through video conferencing, and an additional 36 participating via audio teleconferencing. A total of 36 speakers, including technical experts, security standards leaders, and experienced managers gave presentations on various aspects of CKM during the workshop. Two presentations were made remotely via audio teleconferencing facilities. This summary provides the highlights of workshop presentations organized both by major CKM topics and also by presenter.
Key management has been identified as a major component of national cybersecurity initiatives that address the protection of information processing applications. Numerous problems have been identified in current key management methodologies, including the lack of guidance, inadequate scalability of the methods used to distribute keys, and user dissatisfaction because of the unfriendliness of these methods. The workshop sought to identify the inadequacies of current key management methodologies and to plan for a transition to more useful and appropriate key management methods.
NIST conducted the workshop in order to: (1) identify future computing environments, the international enterprises likely to utilize them, the applications that will be performed in them, and an array of key management mechanisms and protocols that will be needed to provide appropriate security for the applications; (2) discuss the creation of a key management system design framework that will support the use of effective cryptographic mechanisms required to provide security for these environments and applications; (3) lay a foundation for a comprehensive plan in developing, standardizing, and adopting scalable, usable, and secure key management practices..."
See also: Cryptographic Key Management
Mark Logic Launches Information Infrastructure in the Cloud
Staff, Mark Logic Corporation Announcement
"Mark Logic, a leading provider of information infrastructure software, has announced MarkLogic Cloud Services, a new line of services that will make Mark Logic software available on Amazon Web Services. The first such offering in this line is MarkLogic Server for EC2, which enables customers to use MarkLogic on a pay-by-the-hour basis on Amazon EC2, the popular elastic computing cloud platform.
MarkLogic Server for EC2 consists of an Amazon Machine Image (AMI) with MarkLogic Server pre-installed. For faster and easier deployment, users can subscribe to the MarkLogic Server AMI directly from Amazon Web Services. This service also allows users to manage costs more effectively because customers pay for only the resources they need.
MarkLogic Server is also now certified on two cloud infrastructures. The first is Amazon EC2, where customers can deploy MarkLogic Server on this low cost, highly flexible infrastructure offered by Amazon Web Services. The second is the VMware virtualization platform, which enables customers to implement clouds on self-managed hardware..."
See also: the Mark Logic Rockstar
End-to-End Encryption: Beyond PCI Compliance
Paul Meadowcroft, E-Commerce Times
"The Payment Card Industry Data Security Standard (PCI DSS) has undoubtedly made a significant improvement to the security of cardholder account numbers and other sensitive information within the payment card infrastructure. The standard lays out a strong set of requirements that merchants, acquirers and processors must follow. However, complying with PCI DSS should not be considered a silver bullet for protecting information and battling fraud...
While PCI DSS mandates data encryption at various points in the payments cycle, it does not explicitly prescribe end-to-end encryption -- the most sophisticated and successful approach for protecting sensitive cardholder data and other information. Only by implementing end-to-end data protection throughout the entire payment ecosystem can the industry actually achieve the needed security for sensitive data. An example of this is how PIN data is protected in today's environment—from the point of entry all the way to the Issuer.
Substantiating this approach, Visa has recently issued its global industry best practices for data field encryption, also known as 'end-to-end encryption.' Included in Visa's best practices is guidance to use robust key management Click to learn how AT&T Application Management can help you focus on the growth and profitability of your business. solutions and encryption consistent with international and regional standards. This includes the management of encryption/decryption keys within Secure Cryptographic Devices such as PIN Entry Devices (PEDs) or Hardware Security Modules (HSMs). However, despite the growing recognition of the benefits of encryption, there remains a general lack of understanding about deploying and, more importantly, managing the process...
Several initiatives under way aim to provide standards that can help in the development of common methods for exchanging and managing keys between systems. These include key management standards such as IEEE 1619.3 and the OASIS Key Management Interoperability Protocol (KMIP). As these standards find their way into general adoption, the situation for centralized and uniform key management will improve, allowing security administrators the ability to bring all key management under a unified umbrella. Measures such as these will help enable organizations to implement cohesive key management strategies moving forward. Once a well thought-out approach to key management is established, effective security policies, reporting practices and, ultimately, a stronger sense of control over data will be achieved..."
See also: KMIP references
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/